Net::SFTP::Foreign Cipher check

sofysr has asked for the wisdom of the Perl Monks concerning the following question:

I am using the Net::SFTP::Foreign module through perl script to connect to a SFTP server with below sample command:

Net::SFTP::Foreign->new($host, port => '22', backend => 'Net_SSH2')
[download]

Yesterday I got an email from the SFTP server team that says that they are restricting the allowed SSH Algorithms to the following:

Options (allowed Algorithms):
• Ciphers: aes256-ctr,aes192-ctr,aes128-ctr
• Macs: hmac-sha256,hmac-sha2-256,hmac-sha512,hmac-sha2-512
• Kexs: diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256

How do I know if I will be affected by this or not? How do I check the cipher the script is using?

Thanks,
sofysr

2019-04-07 Athanasius added code, paragraph, and break tags

Comment on Net::SFTP::Foreign Cipher check
Download Code

Replies are listed 'Best First'.
Re: Net::SFTP::Foreign Cipher check by hippo (Archbishop) on Apr 01, 2019 at 17:18 UTC
You can specify which cipher to use with more. It's even one of the examples in the doc.	[reply]
Re^2: Net::SFTP::Foreign Cipher check by sofysr (Novice) on Apr 01, 2019 at 17:41 UTC
Thank you. Yeah I saw that, but is there any way to find out what cipher I am using to connect? Since it is a Production environment, I do not want to change the script unless it is the only option. If the cipher that I am currently using is in the allowed range, then I am good. No need to make any changes to script.	[reply]
Re^3: Net::SFTP::Foreign Cipher check by mikelieman (Friar) on Apr 01, 2019 at 17:54 UTC
Using the same "more" option, you can give it the -v option to run in debug mode, which will display the ciphers used.	[reply]
Re^4: Net::SFTP::Foreign Cipher check by sofysr (Novice) on Apr 01, 2019 at 21:53 UTC
Re: Net::SFTP::Foreign Cipher check by choroba (Cardinal) on Apr 01, 2019 at 17:39 UTC
Crossposted to StackOverflow. It's considered polite to inform about crossposting to protect fellow hackers that don't visit both the sites from unnecessary work. `map{substr$_->[0],$_->[1]\|\|0,1}[\\|\|{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^ARGV,3]`	[reply] [d/l]
Re^2: Net::SFTP::Foreign Cipher check by sofysr (Novice) on Apr 01, 2019 at 17:43 UTC
Sorry about that. I don't post much. Don't know the rules. Will keep in mind next time though.	[reply]
Re: Net::SFTP::Foreign Cipher check by salva (Canon) on Apr 02, 2019 at 07:34 UTC
As you are using the Net::SSH2 backend, you should check what libssh2 supports: `Key Exchange Methods: diffie-hellman-group1-sha1, diffie-hellman-group +14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256 Hostkey Types: ssh-rsa, ssh-dss Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc (rijndael-cbc@ +lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, arcfour128, non +e` [download] You should also ensure that you are using a recent version of the library. Probably 1.8.2 which was released some days ago and incorporates several important security fixes. In any case, you should probably check yourself if it works for your particular configuration as `libssh2` is quite buggy.	[reply] [d/l] [select]
Re^2: Net::SFTP::Foreign Cipher check by sofysr (Novice) on Apr 02, 2019 at 14:55 UTC
Hi Salva, Thank you. I have 1.7.0 version of the libssh2 library. I checked the "crypt.c" file in the library folder and found the below code in it. Does this mean that it supports these ciphers: static const LIBSSH2_CRYPT_METHOD _libssh2_crypt_methods[] = { #if LIBSSH2_AES_CTR &libssh2_crypt_method_aes128_ctr, &libssh2_crypt_method_aes192_ctr, &libssh2_crypt_method_aes256_ctr, #endif / LIBSSH2_AES / #if LIBSSH2_AES &libssh2_crypt_method_aes256_cbc, &libssh2_crypt_method_rijndael_cbc_lysator_liu_se, / == aes256-c +bc / &libssh2_crypt_method_aes192_cbc, &libssh2_crypt_method_aes128_cbc, #endif / LIBSSH2_AES / #if LIBSSH2_BLOWFISH &libssh2_crypt_method_blowfish_cbc, #endif / LIBSSH2_BLOWFISH / #if LIBSSH2_RC4 &libssh2_crypt_method_arcfour128, &libssh2_crypt_method_arcfour, #endif / LIBSSH2_RC4 / #if LIBSSH2_CAST &libssh2_crypt_method_cast128_cbc, #endif / LIBSSH2_CAST / #if LIBSSH2_3DES &libssh2_crypt_method_3des_cbc, #endif / LIBSSH2_DES */ #ifdef LIBSSH2_CRYPT_NONE &libssh2_crypt_method_none, #endif NULL }; [download] Thanks.	[reply] [d/l]
Re^3: Net::SFTP::Foreign Cipher check by salva (Canon) on Apr 02, 2019 at 19:13 UTC
Well, probably, though it depends of all those `#if` blocks in the code you have pasted. There is only one way to know for sure, and it is trying!	[reply] [d/l]
Re: Net::SFTP::Foreign Cipher check by haukex (Archbishop) on Apr 02, 2019 at 06:42 UTC
Disclaimer: I'm not sure about this, but aren't SSH ciphers negotiated automatically at the start of the session? Net::SFTP::Foreign just uses the ssh that's available on the system, so as long as that's up to date, you should be able to test by just using the `ssh` command to connect to the server at the command line to test whether it works. Update: Ah, sorry, you're using `backend => 'Net_SSH2'`.	[reply] [d/l] [select]