[Info-vax] Problem with Filezilla connecting to OpenVMS

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Thu Dec 6 10:01:44 EST 2018 

On 2018-12-06 13:57:37 +0000, Hans Blom said:

> I'm running OpenVMS 8.3 and TCPIP V5.7 ECO4.
> Filezilla has apparently decided that the kexalgorithm 
> diffie-hellman-group1-sha1 is vulnerable and won't connect to any of my 
> servers.
> I upgraded one machine to TCPIP V5.7 ECO 5 and replaced a whole heap of 
> SSH executables on recommendation of HPE. After reboot I entered 
> KexAlgorithms  diffie-hellman-group14-sha1 into the files SSH2_CONFIG. 
> and SSHD2_CONFIG.
> Now Filezilla can connect but outgoing or incoming SSH-session to/from 
> other OpenVMS clients fail. OK, so I added KexAlgorithms  
> diffie-hellman-group1-sha1 to the files too. Now connection to/from 
> other clients work but Filezilla has again stopped working.
> Any ideas anyone? Is the order of the KexAlgorithms lines relevant? 
> Problem unsolvable?

FileZilla is not doing anything particularly unusual, here.   Various 
systems have been deprecating old and known-insecure key exchanges, 
MACs and ciphers, and the HP/HPE/VSI sshd implementations have been 
slow to respond.

OpenVMS customers have been slow to upgrade, with the terminal HPE 
version V8.4 having been available for ~eight years (and new-patches 
for ~two more years), and with the much more recent VSI releases also 
available.

What's happening here?  Unfortunately, OpenVMS itself and iLOs have 
down-revision sshd implementations.

While VSI will almost certainly upgrade sshd as part of the VSI IP and 
a beta of same is presently underway for Itanium and a beta is planned 
for Alpha, and the iLO is reportedly insufficient and incapable of 
being upgraded.

The following ssh command will downgrade your connection security to 
allow access into most (all?) OpenVMS systems and into most (all?) 
OpenVMS-associated iLO management processors:

ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o 
KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc 
-o MACs=hmac-md5,hmac-sha1 User at Server.Example.Com

How you convince FileZilla to downgrade to these key exchange 
algorithms, ciphers and MACs, you'll have to rummage.  Based on a very 
quick look at the macOS client and a quick doc search, I'm not certain 
that FileZilla does allow downgrading a connection.

On most platforms, the command-line ssh and sftp clients will support 
this or analogous syntax.

We're on an upgrade treadmill around ssh, TLS security, and related 
details, and older software releases just won't connect to secure 
platforms.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list