[Info-vax] problem conncting via ssh to Fedora-linux-server FC22
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Jun 1 10:46:44 EDT 2015
On 2015-06-01 12:39:26 +0000, Joukj said:
> I recently upgraded one of my Fedora-linux servers from FC21 to FC22.
> After the upgrade I was not able to connect via ssh from my OpenVMS
> machines to this server (see log for connections to FC22 (failed) and
> FC21 (succeeded) below.) Connection from any of my linux servers is
> still possible.
> It seems that something goes wrong when negotiating the ciphers.
>
> As ssh-client I tried both (on OpenVMS v 8.4):
> HP TCP/IP Services for OpenVMS Alpha Version V5.7 - ECO 5
> HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.7 - ECO 5
>
> Is my TCP/IP stack to blame? Is there a work-around?
Based on "Disconnected; key exchange or algorithm negotiation failed
(Algorithm negotiation failed.).", this might well be related to these
changes:
<http://labs.hoffmanlabs.com/node/1897>
Compare your cipher lists on the client and on the server.
The V5.7 ECO 5 ssh client offers the following list, and most of which
are considered very weak:
3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes192-ctr,aes128-ctr,blowfish-cbc,twofish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,des-cbc at ssh.com,cast128-cbc,rc2-cbc at ssh.com,arcfour,none
See what your client is configured to propose, and see if your FC22
sshd can be configured to offer one or more of the CTRs. The rest of
that list are all weak. IIRC, the OpenVMS ssh client was actually
proposing a list that included the none cipher, which was just nuts.
If this is the problem, using ssh -vvv might provide you with more
details of the negotiation, too.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list