Skip to Main Content
Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Under review
Workspace Aspera Ideas
Created by Guest
Created on Feb 22, 2024

[Orchestrator] In Aspera Orchestrator, we would like to make sshd more secure by only accepting some predefined Ciphers/MACs/KexAlgorithms.

We would like to be able to controll how a Remote Node-connection in Aspera Orchestrator uses chipers and mac:s for security reasons.

This is what we would like to do and what happens today when we do it. In the end you can see how we would like it to work.

We update the file /etc/sshd_config on the transfer server, by adding the following lines:

KexAlgorithms diffie-hellman-group14-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group- exchange-sha256

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

When we restart sshd on the transfer server, the button for testing the Remote Node Connection in the Orchestrator UI stops working (we use the HSTS-server to watch for incoming files).


On the transfer server, we can see why if we check the /var/log/secure:

Feb 9 14:42:26 stoaspacctransfer01 sshd[49331]: Unable to negotiate with 10.24.117.23 port 47570: no matching MAC found. Their offer: hmac-sha1,hmac-md5,hmac-sha1-96,hmac- md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-512-96,none [preauth]

So we can see that the orchestrator is offering a set if MACs which are now disabled on the transfer server.


If we instead test the connection as user root from commandline on the orchestrator server, it's still works:

ssh -v -i id_rsa asporc@<transfer-server>

We believe the Orchestrator UI is using a different or non default set of MACs, how can we changes this so it behaves like the commandline?


Idea priority Urgent