[Info-vax] modern ssh on the old stack (VSI) versus new VSI stack (documentation)

gérard Calliet gerard.calliet at pia-sofer.fr
Thu Mar 26 06:29:17 EDT 2020 

Le 25/03/2020 à 19:49, Craig A. Berry a écrit :
> On 3/25/20 12:58 PM, Jim wrote:
>> On Wednesday, March 25, 2020 at 1:02:21 PM UTC-4, gérard Calliet wrote:
>>> Hello,
>>>
>>> Because I think you have a lot of time at home now, I have a question.
>>>
>>> With VSI tcpip new stack, I have a lot of information in the SPD about
>>> what can be done with ssh, for example:
>>>
>>> """SSH functionality has been extended to include the following:
>>> • Diffie-Hellman-group14-sha256 (RFC 4250). This addition improves
>>> security of the key exchange by using a hash with more bits.
>>> • Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656]. Curves
>>> are: nistp256, nistp384, nistp521. The curve chosen will be sufficient
>>> to support the hash for the host keys involved. For example: o If the
>>> host key is ECDSA-nistp521, only the curve nistp521 will be available. o
>>> If the host key is ECDSA-nistp384, the curves nistp384 and nistp521 will
>>> be available. o If the host key is ECDSA-nistp256, the curves nistp256,
>>> nistp384 and nistp521 will be available.
>>> • Elliptic curve digital signature algorithm (ECDSA) [RFC 5656]. Public
>>> keys are written in a format close to what is used by OpenSSH; OpenSSH
>>> public keys can be read as-is. The "Subject" and "Comment" lines in the
>>> key may need to be removed to make the keys readable by OpenSSH. ECDSA
>>> supports curves nistp256, nistp384, nistp521.
>>> ..... """
>>>
>>> I cannot find something precise like that for the last versions of the
>>> old tcpip stack delivered by VSI, including all good ECOs.
>>>
>>> It is important for me to know about that to be able to determine if the
>>> last versions of tcpip/ssh on the old stack (for itanium and for alpha)
>>> are reasonably usable in the modern world, before being able to use the
>>> new stack. Another reason behind that is knowing if is worth it to go to
>>> VSI and tcpip (old stack) only to have more functionalities on ssh.
>>>
>>> Take care
>>>
>>> Gérard Calliet
>>
>> I can't tell you which key exchange algorithms are present in the 
>> older VMS
>> SSH implementations nor if those are well documented, but if you have one
>> installed you can use DEBUG level 3 on an SSH connection to localhost and
>> observe what is offered. With MultiNet's SSH I would do this:
>>
>> $ ssh/debug=3 localhost.
>>
>> and observe something like the following right near the beginning of the
>> SSH conversation.
>>
>> [...]
>> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:65: kex_algorithms = 
>> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
>>
>>
>> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:66: host_key_algorithms = 
>> x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,x509v3-ssh-dss,x509v3-ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-dss,x509v3-sign-rsa,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa2048-sha256,ssh-dss,ssh-rsa 
>>
>>
>> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:67: ciphers_c_to_s = 
>> aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none 
>>
>>
>> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:68: ciphers_s_to_c = 
>> aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none 
>>
>>
>> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:69: macs_c_to_s = 
>> hmac-sha2-256,hmac-sha2-512,hmac-sha256,hmac-sha1,hmac-md5,none
>>
>> debug: (10:42:53)Ssh2Trans/SSHTRANS.C;1:70: macs_s_to_c = 
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,none
>>
>> debug: (10:42:53)Ssh2Client/SSHCLIENT.C;1:1765: Creating transport 
>> protocol.
>>
>> debug: (10:42:53)Ssh2Transport/TRCOMMON.C;1:4238: available kex 
>> algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
>>
>>
>> debug: (10:42:53)Ssh2Transport/TRCOMMON.C;1:4256: guessed kex 
>> ecdh-sha2-nistp256, host key x509v3-ecdsa-sha2-nistp521
>>
> 
> Doing ssh -vvv to the following system:
> 
> $ tcpip show vers
> 
>    HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.7 - ECO 5
>    on an HP rx2660  (1.67GHz/9.0MB) running OpenVMS V8.4-2L1
> 
> $ prod show hist *tcp*
> ------------------------------------ ----------- ----------- --- 
> -----------
> PRODUCT                              KIT TYPE    OPERATION   VAL DATE
> ------------------------------------ ----------- ----------- --- 
> -----------
> VSI I64VMS TCPIP_PAT V5.7-ECO5O      Patch       Install     Val 
> 09-MAR-2018
> VSI I64VMS TCPIP_NFS_PAT V5.7-ECO5C  Patch       Install     Val 
> 21-DEC-2017
> VSI I64VMS TCPIP_SSH_PAT V5.7-ECO5D  Patch       Install     Val 
> 21-DEC-2017
> VSI I64VMS TCPIP V5.7-13ECO5F        Full LP     Install     Val 
> 21-DEC-2017
> VSI I64VMS TCPIP V5.7-13ECO5         Full LP     Remove       -  
> 21-DEC-2017
> VSI I64VMS TCPIP V5.7-13ECO5         Full LP     Reg Product (U) 
> 21-DEC-2017
> ------------------------------------ ----------- ----------- --- 
> -----------
> 6 items found
> 
> I see the following algorithms and ciphers listed:
> 
> debug2: KEX algorithms: 
> curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c 
> 
> debug2: host key algorithms: 
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss 
> 
> debug2: ciphers ctos: 
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com 
> 
> debug2: ciphers stoc: 
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com 
> 
Thanks Jim, thanks Creg

I think I missed the "VSI I64VMS TCPIP_SSH_PAT V5.7-ECO5D" ECO, which is 
not included in the general "VSI I64VMS TCPIP V5.7-13ECO5F" ECO, as 
staded in anothe thread.

I have'nt an VSI Alpha up to date TCPIP.

So I cannot do the same test now on Alpha. And it seems there is not 
anywhere the same good documentation on TCPIP "old" stack as for the 
"new". But VSI sells the two, and could perhaps give same level of 
information for the two.

Gérard Calliet

More information about the Info-vax mailing list