[Info-vax] TCPWare SSH client/server question

Chris Townley news at cct-net.co.uk
Mon Jan 11 08:47:27 EST 2021 

On 11/01/2021 13:28, Richard Whalen wrote:
> On Thursday, January 7, 2021 at 9:04:02 AM UTC-5, Chris Townley wrote:
>> Not sure if I am being silly, but I now have 2 nodes running tcpware
>> (TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
>> I have only enabled ssh2 connections.
>>
>> If I connect from PC I connect fine, but if I connect from VMS, I get
>> the key exchange error
>>
>> warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN
>>
>> and I get prompted for password.
>>
>> Looking at the file protections:
>>
>> SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)
>>
>> ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
>> ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)
>>
>> Seems OK to me, so I must be missing something.
>>
>>
>> Any suggestions?
>>
>>
>> Chris
> 
> 
> 
> Sounds like a configuration error to me.  Try SSH/DEBUG=4 and look for the following section:
> 
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:65: kex_algorithms = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman
> -group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-g
> roup1-sha1
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:66: host_key_algorithms = x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa
> -sha2-nistp256,x509v3-ssh-dss,x509v3-ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-dss,x509v3-sign-rsa,ecdsa-sha2-nistp521,ecdsa-sha2-ni
> stp384,ecdsa-sha2-nistp256,rsa2048-sha256,ssh-dss,ssh-rsa
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:67: ciphers_c_to_s = aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes
> 192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:68: ciphers_s_to_c = aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-ctr,aes128-cbc,aes
> 192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:69: macs_c_to_s = hmac-sha2-256,hmac-sha2-512,hmac-sha256,hmac-sha1,hmac-md5,none
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:70: macs_s_to_c = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,none
> debug: (08:19:56)Ssh2Client/SSHCLIENT.C;5:1819: Creating transport protocol.
> debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:115: client_wrap already have params
> debug: (08:19:56)Ssh2Transport/TRCOMMON.C;6:4319: available kex algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,di
> ffie-hellman-group1-sha1
> debug: (08:19:56)Ssh2Transport/TRCOMMON.C;6:4337: guessed kex ecdh-sha2-nistp256, host key x509v3-ecdsa-sha2-nistp521
> debug: (08:19:56)SshProtoTrKex/TRKEX.C;4:1017: have SshKexType object for ecdh-sha2-nistp256
> 
> Also, make sure that both systems have recent SSHB patches.
> 	- Correct an error in Group Exchange Key Exchange for group 18.
> 	  SSHB_V602P040 ECO Rank 3 8-Jul-2019
> 
As I said further to this, I think the problem is due to it being an RSA 
key - SSH2 client seems not to support RSA keys. Just the error message 
is misleading - debug doesn't add to that.

At least TCPWare is more up to date than TCP/IP services...


Chris

More information about the Info-vax mailing list