[Info-vax] modern ssh on the old stack (VSI) versus new VSI stack (documentation)

Craig A. Berry craigberry at nospam.mac.com
Wed Mar 25 14:49:57 EDT 2020 

On 3/25/20 12:58 PM, Jim wrote:
> On Wednesday, March 25, 2020 at 1:02:21 PM UTC-4, gérard Calliet wrote:
>> Hello,
>>
>> Because I think you have a lot of time at home now, I have a question.
>>
>> With VSI tcpip new stack, I have a lot of information in the SPD about
>> what can be done with ssh, for example:
>>
>> """SSH functionality has been extended to include the following:
>> • Diffie-Hellman-group14-sha256 (RFC 4250). This addition improves
>> security of the key exchange by using a hash with more bits.
>> • Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656]. Curves
>> are: nistp256, nistp384, nistp521. The curve chosen will be sufficient
>> to support the hash for the host keys involved. For example: o If the
>> host key is ECDSA-nistp521, only the curve nistp521 will be available. o
>> If the host key is ECDSA-nistp384, the curves nistp384 and nistp521 will
>> be available. o If the host key is ECDSA-nistp256, the curves nistp256,
>> nistp384 and nistp521 will be available.
>> • Elliptic curve digital signature algorithm (ECDSA) [RFC 5656]. Public
>> keys are written in a format close to what is used by OpenSSH; OpenSSH
>> public keys can be read as-is. The "Subject" and "Comment" lines in the
>> key may need to be removed to make the keys readable by OpenSSH. ECDSA
>> supports curves nistp256, nistp384, nistp521.
>> ..... """
>>
>> I cannot find something precise like that for the last versions of the
>> old tcpip stack delivered by VSI, including all good ECOs.
>>
>> It is important for me to know about that to be able to determine if the
>> last versions of tcpip/ssh on the old stack (for itanium and for alpha)
>> are reasonably usable in the modern world, before being able to use the
>> new stack. Another reason behind that is knowing if is worth it to go to
>> VSI and tcpip (old stack) only to have more functionalities on ssh.
>>
>> Take care
>>
>> Gérard Calliet
> 
> I can't tell you which key exchange algorithms are present in the older VMS
> SSH implementations nor if those are well documented, but if you have one
> installed you can use DEBUG level 3 on an SSH connection to localhost and
> observe what is offered. With MultiNet's SSH I would do this:
> 
> $ ssh/debug=3 localhost.
> 
> and observe something like the following right near the beginning of the
> SSH conversation.
> 
> [...]
> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:65: kex_algorithms = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> 
> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:66: host_key_algorithms = x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,x509v3-ssh-dss,x509v3-ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-dss,x509v3-sign-rsa,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa2048-sha256,ssh-dss,ssh-rsa
> 
> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:67: ciphers_c_to_s = aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
> 
> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:68: ciphers_s_to_c = aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
> 
> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:69: macs_c_to_s = hmac-sha2-256,hmac-sha2-512,hmac-sha256,hmac-sha1,hmac-md5,none
> 
> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:70: macs_s_to_c = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,none
> 
> debug: (10:42:53)Ssh2Client/SSHCLIENT.C;1:1765: Creating transport protocol.
> 
> debug: (10:42:53)Ssh2Transport/TRCOMMON.C;1:4238: available kex algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> 
> debug: (10:42:53)Ssh2Transport/TRCOMMON.C;1:4256: guessed kex ecdh-sha2-nistp256, host key x509v3-ecdsa-sha2-nistp521
> 

Doing ssh -vvv to the following system:

$ tcpip show vers

   HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.7 - ECO 5
   on an HP rx2660  (1.67GHz/9.0MB) running OpenVMS V8.4-2L1

$ prod show hist *tcp*
------------------------------------ ----------- ----------- --- -----------
PRODUCT                              KIT TYPE    OPERATION   VAL DATE
------------------------------------ ----------- ----------- --- -----------
VSI I64VMS TCPIP_PAT V5.7-ECO5O      Patch       Install     Val 09-MAR-2018
VSI I64VMS TCPIP_NFS_PAT V5.7-ECO5C  Patch       Install     Val 21-DEC-2017
VSI I64VMS TCPIP_SSH_PAT V5.7-ECO5D  Patch       Install     Val 21-DEC-2017
VSI I64VMS TCPIP V5.7-13ECO5F        Full LP     Install     Val 21-DEC-2017
VSI I64VMS TCPIP V5.7-13ECO5         Full LP     Remove       -  21-DEC-2017
VSI I64VMS TCPIP V5.7-13ECO5         Full LP     Reg Product (U) 21-DEC-2017
------------------------------------ ----------- ----------- --- -----------
6 items found

I see the following algorithms and ciphers listed:

debug2: KEX algorithms: 
curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: 
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: 
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc: 
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com

More information about the Info-vax mailing list