[Info-vax] Problem with Filezilla connecting to OpenVMS

Dave Froble davef at tsoft-inc.com
Thu Dec 6 10:19:26 EST 2018 

On 12/6/2018 10:01 AM, Stephen Hoffman wrote:
> On 2018-12-06 13:57:37 +0000, Hans Blom said:
>
>> I'm running OpenVMS 8.3 and TCPIP V5.7 ECO4.
>> Filezilla has apparently decided that the kexalgorithm
>> diffie-hellman-group1-sha1 is vulnerable and won't connect to any of
>> my servers.
>> I upgraded one machine to TCPIP V5.7 ECO 5 and replaced a whole heap
>> of SSH executables on recommendation of HPE. After reboot I entered
>> KexAlgorithms  diffie-hellman-group14-sha1 into the files SSH2_CONFIG.
>> and SSHD2_CONFIG.
>> Now Filezilla can connect but outgoing or incoming SSH-session to/from
>> other OpenVMS clients fail. OK, so I added KexAlgorithms
>> diffie-hellman-group1-sha1 to the files too. Now connection to/from
>> other clients work but Filezilla has again stopped working.
>> Any ideas anyone? Is the order of the KexAlgorithms lines relevant?
>> Problem unsolvable?
>
> FileZilla is not doing anything particularly unusual, here.   Various
> systems have been deprecating old and known-insecure key exchanges, MACs
> and ciphers, and the HP/HPE/VSI sshd implementations have been slow to
> respond.
>
> OpenVMS customers have been slow to upgrade, with the terminal HPE
> version V8.4 having been available for ~eight years (and new-patches for
> ~two more years), and with the much more recent VSI releases also
> available.
>
> What's happening here?  Unfortunately, OpenVMS itself and iLOs have
> down-revision sshd implementations.
>
> While VSI will almost certainly upgrade sshd as part of the VSI IP and a
> beta of same is presently underway for Itanium and a beta is planned for
> Alpha, and the iLO is reportedly insufficient and incapable of being
> upgraded.
>
> The following ssh command will downgrade your connection security to
> allow access into most (all?) OpenVMS systems and into most (all?)
> OpenVMS-associated iLO management processors:
>
> ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o
> KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc
> -o MACs=hmac-md5,hmac-sha1 User at Server.Example.Com
>
> How you convince FileZilla to downgrade to these key exchange
> algorithms, ciphers and MACs, you'll have to rummage.  Based on a very
> quick look at the macOS client and a quick doc search, I'm not certain
> that FileZilla does allow downgrading a connection.
>
> On most platforms, the command-line ssh and sftp clients will support
> this or analogous syntax.
>
> We're on an upgrade treadmill around ssh, TLS security, and related
> details, and older software releases just won't connect to secure
> platforms.
>
>

Ya know, the real problem here, is dumb ass developers who cannot figure 
out that perhaps there will be a time when a user just cannot use 
encryption, and provide for an unencrypted option.  Oh, no, that's way 
too reasonable.  Can't have that.

Then again, it's their product, and it's worth just about what you are 
paying for it.  Ain't free software great?  Ain't the developers of free 
software the smartest people around?

When you don't have to please the users, you can be as dumb as you want 
to be ....

-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list