[Info-vax] problem conncting via ssh to Fedora-linux-server FC22

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Jun 2 09:44:14 EDT 2015 

On 2015-06-02 11:26:14 +0000, Joukj said:

> thanks, that solved the problem.
> I added the ciphers/macs/kexs which were default in FC21,

In general, you'll want to go the other way.   The CBC ciphers and the 
rest were dropped because they were insecure.

I and probably some other folks raised this OpenSSH change with HP, and 
the HP folks added the CTR ciphers.

Crypto and related security interfaces on OpenVMS tend to be very old, 
and what is around can be insecure or is looking increasingly insecure. 
 (This is just one of the bits that grate when I see the "OpenVMS is 
secure" comment posted around the 'net.   OpenVMS should not even still 
be offering algorithms that are now considered weak or are considered 
compromised, such as the CBC ciphers.  But I digress.)

> amazing, that the even on a linux subject the OpenVMS community is much 
> more helping than the linux community (I asked the same on a Fedora 
> forum, but got 0 answers!!!)

Several details to ponder on that:

...the Fedora folks probably have little or no experience with OpenVMS 
or other similarly arcane operating systems.   The OpenVMS folks have 
to deal with Linux and various other platforms.  (Hence my posting on 
this.)

...ssh questions are not usually questions that are particularly 
interesting to answer.  More often than not, the ssh issue is resolved 
by walking somebody through the documentation, or by helping them 
troubleshooting some key mis-formatting issue, or by helping the 
questioner resolve the ever-popular incorrectly-protected-files issue.  
All of which have been discussed a gazillion times before.

...Probably more centrally, the Fedora folks aren't really the upstream 
here, it's the OpenBSD OpenSSH folks.  http://www.openssh.com  Per the 
OpenSSH web page: "General support (especially regarding 
interoperability issues) may also be found at the newsgroup 
comp.security.ssh."  Or the developer's public mailing list.  In short, 
you were asking the wrong crowd for help.

> However, when you do not "own" the ssh-server this is not a solution. 
> How difficult would it be to build the OpenSSH client on top of the 
> TCP/IP stack of OpenVMS?

Donno.  Currently tussling with other issues and with porting some 
other code, locally.   Try the Promise ssh client, if that's an option. 
  Or sure, try the port — there's a portable variant of OpenSSH 
available directly from the OpenBSD OpenSSH folks.    The OpenVMS ssh 
implementation is missing various tools and features that would make 
dealing with ssh on OpenVMS rather easier, and would make the key setup 
rather less manual.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list