[Info-vax] modern ssh on the old stack (VSI) versus new VSI stack (documentation)

Jim mckinneyj at leidos.com
Wed Mar 25 13:58:28 EDT 2020 

On Wednesday, March 25, 2020 at 1:02:21 PM UTC-4, gérard Calliet wrote:
> Hello,
> 
> Because I think you have a lot of time at home now, I have a question.
> 
> With VSI tcpip new stack, I have a lot of information in the SPD about 
> what can be done with ssh, for example:
> 
> """SSH functionality has been extended to include the following:
> • Diffie-Hellman-group14-sha256 (RFC 4250). This addition improves 
> security of the key exchange by using a hash with more bits.
> • Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656]. Curves 
> are: nistp256, nistp384, nistp521. The curve chosen will be sufficient 
> to support the hash for the host keys involved. For example: o If the 
> host key is ECDSA-nistp521, only the curve nistp521 will be available. o 
> If the host key is ECDSA-nistp384, the curves nistp384 and nistp521 will 
> be available. o If the host key is ECDSA-nistp256, the curves nistp256, 
> nistp384 and nistp521 will be available.
> • Elliptic curve digital signature algorithm (ECDSA) [RFC 5656]. Public 
> keys are written in a format close to what is used by OpenSSH; OpenSSH 
> public keys can be read as-is. The "Subject" and "Comment" lines in the 
> key may need to be removed to make the keys readable by OpenSSH. ECDSA 
> supports curves nistp256, nistp384, nistp521.
> ..... """
> 
> I cannot find something precise like that for the last versions of the 
> old tcpip stack delivered by VSI, including all good ECOs.
> 
> It is important for me to know about that to be able to determine if the 
> last versions of tcpip/ssh on the old stack (for itanium and for alpha) 
> are reasonably usable in the modern world, before being able to use the 
> new stack. Another reason behind that is knowing if is worth it to go to 
> VSI and tcpip (old stack) only to have more functionalities on ssh.
> 
> Take care
> 
> Gérard Calliet

I can't tell you which key exchange algorithms are present in the older VMS
SSH implementations nor if those are well documented, but if you have one
installed you can use DEBUG level 3 on an SSH connection to localhost and
observe what is offered. With MultiNet's SSH I would do this:

$ ssh/debug=3 localhost.

and observe something like the following right near the beginning of the
SSH conversation.

[...]
debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:65: kex_algorithms = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:66: host_key_algorithms = x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,x509v3-ssh-dss,x509v3-ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-dss,x509v3-sign-rsa,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa2048-sha256,ssh-dss,ssh-rsa

debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:67: ciphers_c_to_s = aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none

debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:68: ciphers_s_to_c = aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none

debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:69: macs_c_to_s = hmac-sha2-256,hmac-sha2-512,hmac-sha256,hmac-sha1,hmac-md5,none

debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:70: macs_s_to_c = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,none

debug: (10:42:53)Ssh2Client/SSHCLIENT.C;1:1765: Creating transport protocol.

debug: (10:42:53)Ssh2Transport/TRCOMMON.C;1:4238: available kex algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug: (10:42:53)Ssh2Transport/TRCOMMON.C;1:4256: guessed kex ecdh-sha2-nistp256, host key x509v3-ecdsa-sha2-nistp521

More information about the Info-vax mailing list