After Upgrading to a firmware version with OpenSSH v9.3 patched for the recent SSH vulnerabilities (12.1-55.304+ FIPS, 13.0-92.23+, 13.1-53.4+, 13.1-37.180+ FIPS, 14.1-22.16+) SSH is not working anymore.

Putty throws the error: 

Network error: Software caused connection abort.

Access to the NetScaler through console and check if the service is running:

root@ADC# ps -aux | grep ssh
root        637   0.0  0.1   33008    5596  -  I    17:15     0:00.03 php /netscaler/websocketd/websocket-ssh-deamon.php
root      21402   0.0  0.1   13244    7912  -  Ss   19:49     0:00.04 sshd: nsroot@pts/0 (sshd)
root      21403   0.0  0.1   13244    7800  -  Ss   19:49     0:00.03 sshd: nsroot@notty (sshd)
root      23082   0.0  0.1   13244    7440  -  Ss   20:01     0:00.02 sshd: /usr/sbin/sshd -f /etc/sshd_config [listener] 0 of 10-60 startups (sshd)

If you do not see an entry for SSH "/usr/sbin/sshd -f /etc/sshd_config", that means the service is not running.

Upon trying to start the SSH service, it throws an error for "Bad SSH2 cipher spec".

root@ADC#  /usr/sbin/sshd -f /etc/sshd_config
/etc/sshd_config line 16: Deprecated option UsePrivilegeSeparation
/etc/sshd_config line 39: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc'.

The "Deprecated option UsePrivilegeSeparation" can be ignored for now, and focus on the cipher list.

To check the supported ciphers in the current version of OpenSSH:

root@ADC# ssh -V
OpenSSH_9.3p2-FIPS, OpenSSL 1.0.2zh-fips  30 May 2023
root@ADC#
root@ADC# ssh -Q ciphers
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

Currently, "aes128-cbc" is no longer supported by OpenSSH 9.3 and must be removed from the list.

Edit the "/nsconfig/sshd_config" file for the Cipher configuration line and only use supported ciphers, then start the Service:

root@ADC# more /nsconfig/sshd_config
Protocol 2
HostKey /nsconfig/ssh/ssh_host_rsa_key
HostKey /nsconfig/ssh/ssh_host_ecdsa_key
LoginGraceTime 120
PermitRootLogin yes
LogLevel INFO
IgnoreRhosts no
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
PasswordAuthentication yes
# UsePrivilegeSeparation: depricated, but keeping it for upgrade/downgrade.
UsePrivilegeSeparation no
UsePam no
UseDNS no
# after 10 seconds of no data send clientalive
ClientAliveInterval 10
# only allow 5 outstanding clientalives aka 50 seconds detect disconnect
ClientAliveCountMax 5
# CheckMail no
# PidFile /u/zappa/.ssh/pid
# AllowHosts *.our.com friend.other.com
# DenyHosts lowsecurity.theirs.com *.evil.org evil.org
# Umask 022
# SilentDeny yes
Subsystem       sftp    /usr/libexec/sftp-server
AllowTcpForwarding no
#
MaxStartups 10:30:60
Banner /etc/issue.net

# Work around some old GUI components that do not work without SHA1 during the key exchange
HostKeyAlgorithms +ssh-rsa

# Terrapin attack (CVE-2023-48795) mitigation.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs -*-etm@openssh.com
root@ADC#
root@ADC#
root@ADC# /usr/sbin/sshd -f /etc/sshd_config
/etc/sshd_config line 16: Deprecated option UsePrivilegeSeparation
root@ADC#
root@ADC#
root@ADC# ps -aux | grep ssh
root        637   0.0  0.1   33008    5596  -  I    17:15     0:00.03 php /netscaler/websocketd/websocket-ssh-deamon.php
root      21402   0.0  0.1   13244    7976  -  Ss   19:49     0:00.13 sshd: nsroot@pts/0 (sshd)
root      21403   0.0  0.1   13244    7800  -  Ss   19:49     0:00.04 sshd: nsroot@notty (sshd)
root      25032   0.0  0.1   13244    7440  -  Ss   20:18     0:00.00 sshd: /usr/sbin/sshd -f /etc/sshd_config [listener] 0 of 10-60 startups (sshd)
root@ADC#

Problem Cause

Unsupported Ciphers in the cipher list inside "/nsconfig/sshd_config" for the new version of OpenSSH