All Servers - SSH Access Restricted

[Zigling]

People will goggle and find this thread.

I went through the proper channels, already. This is where people can learn and make informed choices before they spend their cashola.

My experiences and valid complaints do not make me a spoilt child. Stop with the smack-downs. Peace to you lot because I've said what I needed to say.


/Zig

[SlAiD]

@Zigling, just asking, how old are you?


SL

[Gump]

Quote:

Originally Posted by SlAiD

@Zigling, just asking, how old are you?

SlAiD, Please provide your age as well. I don't have a clue what this has to do with the discussion of SSH Access.

Just because a customer is unhappy with something doesn't mean others need to attack him to validate their own choice of vendor. Perhaps we could be a little more constructive?

[Target2019]

http://www.techworld.com/security/ne...?newsID=118941

Is this the flaw in question?

[quietFinn]

Quote:

Originally Posted by Target2019

http://www.techworld.com/security/ne...?newsID=118941

Is this the flaw in question?

if you mean this:

Quote:

There also seems to be some confusion between the alleged zero-day and a different vulnerability in OpenSSH, Zdrnja said. That vulnerability, which is as of yet unpatched, could allow an attacker to recover up to 32 bits of plain text from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration, according to an advisory from the UK's Center for the Protection of National Infrastructure (CPNI).

could be...

[jtoon86]

Quote:

Originally Posted by Target2019

Is this the flaw in question?

Hard to say. HG beyond saying they had some "credible evidence" of a security issue (that apparently no one else has ... OpenSSH development team, Red Hat, CentOS, other hosting companies, SANS, etc) has not provided details on what exactly they are protecting their servers from.

I'm glad they provided per-IP access as that is sufficient for my needs for the HG account I currently have with the company, but the lack of communication on exactly WHAT they are protecting us from and why upgrading to the latest version mid-last week wasn't sufficient enough still leaves me scratching my head.

Right now, as a customer, I find this lack of communication and missing a deadline w/o follow-up very concerning. While this is the first issue I have come across with HG since hosting with them mid-last year, I'd feel much more comfortable with some migration plans (migrating accounts from other hosting providers to HG) if there was more disclosure about this issue.

[SlAiD]

Quote:

Originally Posted by Gump

SlAiD, Please provide your age as well. I don't have a clue what this has to do with the discussion of SSH Access.

Just because a customer is unhappy with something doesn't mean others need to attack him to validate their own choice of vendor. Perhaps we could be a little more constructive?

If the customer is unhappy he have 45 days to move.

So: If he's unhappy with the procedures of HG does not help to go here - an unofficial channel - complaining about.

The childhood previous posts let me to ask that.


Anyway, let's get to the topic...


SL

[CPColin]

It's funny that HostGator is being this paranoid about this SSH vulnerability when they store our passwords as plain text, display them on various pages, and spew them in unencrypted emails all over the place.

[RBX0122]

Quote:

Originally Posted by CPColin

It's funny that HostGator is being this paranoid about this SSH vulnerability when they store our passwords as plain text, display them on various pages, and spew them in unencrypted emails all over the place.

Can you please explain this ?

[Target2019]

New, possible OpenSSH exploit brought to HG attention 7/5/2009 as stated in start of this thread. So I am reasonably sure the article is about the same reported flaw.

More about it here:
http://isc.sans.org/diary.html?storyid=6760

If I had 10's of thousands of customers I'd be worried, for sure. However, if offering SSH as part of my business, then would think more carefully about shutting down the service.

I haven't suffered any consequences because of this, but it will definitely stay in my mind as I consider what clients to host here.

[Chief Plasma]

Quote:

Originally Posted by Zigling

How about they find another way to prove it's me rather than me holding my friend's credit card information?
/Zig

A paypal email receipt does that for you. They need the transactoin ID that way. No cards involved.

Anyway, bet of luck to ya.


-cp

[Chief Plasma]

Quote:

Originally Posted by boiserc

Can you please explain this ?

You do not get the reminders that say your account is due with your user and pw inside. I hate that too. But that is not this threads topic.

[GatorDHanna]

SSH access has been restored and should now be open and accessible to all customers (regardless of IP whitelisting status).

If you run into any problems or have any difficulties connecting, please let our support team know via email at support@hostgator.com.

[kjvarga]

Well thank goodness for that! Unfortunately I am now getting errors from Ruby Net::SSH when I try to deploy my sites using Capistrano and it's got something to do with the recent changes.

First I was getting this encryption_client algorithm error which I have since solved:

Code:

 ** [deploy:update_code] exception while rolling back: Capistrano::ConnectionError, connection failed for: varzyfamily.com (Net::SSH::Exception: could not settle on encryption_client algorithm)
connection failed for: varzyfamily.com (Net::SSH::Exception: could not settle on encryption_client algorithm)

Some information was available from:

http://www.mail-archive.com/capistra.../msg05641.html

So I installed an updated net-ssh gem from Delano on GitHub:

Download tarball of http://github.com/delano/net-ssh/tree/master then from the download directory do the following.

Code:

gem sources -a http://gems.github.com
gem install mislav-hanna
gem install echoe
gem build net-ssh.gemspec
gem install net-ssh-2.0.12.gem

Sweet! All done. But now I'm getting this CipherError about the key length being too short. Damn! I think I'm getting closer tho. I am using RSA keys to connect to HG (of default lenght, not sure exactly).

Code:

 ** [deploy:update_code] exception while rolling back: Capistrano::ConnectionError, connection failed for: varzyfamily.com (OpenSSL::CipherError: key length too short)
connection failed for: varzyfamily.com (OpenSSL::CipherError: key length too short)

Any ideas? Do I just need to generate a different (DSA) key? longer key?

[kjvarga]

Got this reply from HG:

This is caused by the cipher that Capistrano is using - in short before Capistrano can talk to our servers, it performs a "handshake" with the server so the server and Capistrano know how to communicate with each other. We made several changes to eliminate the use of weak and easily exploitable (english: bad) ciphers and it appears that Capistrano is unable to agree with our server on which cipher to use.

Our servers are currently set to only allow these ciphers:
aes128-ctr,aes256-ctr,arcfour256,arcfour

You may need to contact the developer of Capistrano at http://www.capify.org/index.php/Capistrano with the above informatin on what ciphers we need it to support as I am not familiar with that program.

[rstanley]

Quote:

Originally Posted by GatorDHanna

SSH access has been restored and should now be open and accessible to all customers (regardless of IP whitelisting status).

If you run into any problems or have any difficulties connecting, please let our support team know via email at support@hostgator.com.

Now perhaps you can update the "Announcements" on the Control Panel so that people can see it, and receive the notice by email, if they have signed up for that option! After all, that's what it is there for! This has not been updated since "Thu, 09 Jul 2009 13:52:09 CDT"

[Jean-Luc]

Quote:

Originally Posted by kjvarga

Got this reply from HG:

Our servers are currently set to only allow these ciphers:
aes128-ctr,aes256-ctr,arcfour256,arcfour

This explains why I get "Couldn't agree a client-to-server cypher (available aes128-ctr,aes256-ctr,arcfour256,arcfour)" when I try to connect with PuTTY.

How can I add support for "aes128-ctr,aes256-ctr,arcfour256,arcfour" in PuTTY ?

Jean-Luc

[GatorZKarr]

Jean-Luc, that error has been documented with putty 0.55 and our updated version of SSH. If you use the latest version (0.60) you should be able to connect without any issue.

http://support.hostgator.com/article...-cipher-errors

[Jean-Luc]

I am now connected with 0.60. Thanks.

Jean-Luc

[bhoult]

Did you ever figure out how to get capistrano working?... I am having the same issue.

[citawds]

Quote:

Originally Posted by GatorZKarr

Jean-Luc, that error has been documented with putty 0.55 and our updated version of SSH. If you use the latest version (0.60) you should be able to connect without any issue.

http://support.hostgator.com/article...-cipher-errors

Ah that clears it up. I also ran into the same error message but then I fired up Secure Copy which connected without issues leading me to think I had an issue with my copy of putty, I just deleted and downloaded another copy which would be the latest which of course works, I never investigated further thinking I had some how borked putty ;-)

I will say that when I fired off an email to hostgator support asking to have my IP white-listed this was done within less then 5 minutes no other issues better to be safe then sorry thanks support!

Steve

[quint]

SFTP is working fine again

[GatorDHanna]

Quote:

Originally Posted by rstanley

Now perhaps you can update the "Announcements" on the Control Panel so that people can see it, and receive the notice by email, if they have signed up for that option! After all, that's what it is there for! This has not been updated since "Thu, 09 Jul 2009 13:52:09 CDT"

This has been done. Thanks!

[kjvarga]

No, I don't have solution to the Capistrano problem. I'm going to have to try to take a look at it over the next couple days. If anyone solves it, please be sure to post the solution to this thread.

[kjvarga]

Holy smokes, I've fixed the Capistrano problem! I feel like a god! I feel invincible! I feel...dizzy.

It turns out it's a problem with Ruby's Net::SSH and OpenSSL implementations, and possibly also with your OpenSSL C libraries :/

However, I've created a work around for Net::SSH which should cover any bugs in the underlying OpenSSL. The problem is with the ARCFOUR256 cipher and OpenSSL's RC4 cipher handling. OpenSSL thinks the key should be 16 bytes long so Net::SSH goes and creates one of 16 bytes. But then OpenSSH says that "the key is too short".

So I've forced Net::SSH to generate adequately long keys for ARCFOUR256 and ARCFOUR512 (I added that for kicks) ciphers and now OpenSSL doesn't complain.

You can read more about it and get an updated ruby Gem from http://github.com/kjvarga/net-ssh/tree/master.