Supported SSH Key Exchanges

ruf-f
(Mike S) #1

Hello,

We setup Octopus Deploy (version 3.13.6) to target WP Engine via an SSH Connection deployment target. Deployments were working perfectly until WP Engine recently deprecated some “insecure” ciphers.

I took a look here to find Octopus’ supported Ciphers. It does not look like there is overlap between what WP Engine supports and Octopus Deploy (at least in the latest version). As of today (2019-06-07), here is the list of supported Ciphers from WP Engine:

Key Exchanges:
ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

Message Authentication Codes:
hmac-sha2-256

Ciphers:
aes128-ctr, aes192-ctr, aes256-ctr

There is no overlap in the Key Exchanges. Is there a recommended approach to add the Key Exchanges WP Engine supports? Is there a configuration outside of the source code that allows us to add additional Key Exchanges? Would it be possible for us to fork the Octopus version of SSH.Net and add the support in? I could also be looking in all the wrong places. Any advice would be appreciated.

Thanks,
Mike

#3

Hi Mike,

Thanks for getting in touch!

I’ve had a look and confirmed that you are correct, we don’t have an overlap in Key Exchanges. We’ve confirmed that SSH.Net doesn’t have the required key exchanges either. What I would recommend at this point is creating a PR against the Octopus SSH.Net fork adding in the required support, which we can then review and incorporate in an upcoming release of Octopus.

Let me know if you have any questions,

Regards,
Alex

#4

Hi Mike,

As soon as it hit the Reply button another option came to mind. We have a beta release of a full Linux Tentacle that might resolve this issue as well, you can view the documentation here which describes the known limitations and how to install the Tentacle.

We would love your feedback if this is a viable option, although it would require an upgrade of Octopus to at least version 2019.5.7 which would also be required if we updated SSH.Net.

Hope that helps!

Regards,
Alex