[Info-vax] SSH from VMS to 3Par
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Oct 11 11:32:15 EDT 2021
On 2021-10-11 14:45:24 +0000, pcoviello at gmail.com said:
> thanks though I don't recall having access to that level.
>
> HPE wanted no part of downgrading the ciphers or a work around for this.
>From what HPE has published for this change (HPE 3PAR OS 3.3.1 GA
Release Notes, pages 14 and 15, HPE Issue IDs 146489, 146490) (and
technical writing errors in that HPE doc aside), there is no published
ssh negotiation downgrade procedure.
Symptoms: SSH access to the array may be impacted when using clients
which were used with prior versions of HPE 3PAR OS.
Conditions of occurrence: Updating to 3.3.1GA or later and attempting
to use an older SSH cypher.
Impact: High
Customer circumvention: None
Customer recovery steps: SSH Client update or configuration.
That "none" there doesn't give me much hope for circumvention; for
KEX/cipher/MAC downgrades.
Pending VSI changes to OpenVMS ssh or the VSI OpenSSH port, you're
seemingly left using a different ssh client and quite possibly from a
different host, or finding an alternative path for whatever 3PAR
storage management access or reconfiguration you're here seeking. Maybe
via cURL and HTTPS, for instance? Or learning about and possibly
reverse-engineering 3PAR sufficiently to find whether the ssh KEX,
Ciphers, and MAC can be user-configured, though I'm not particularly
hopeful there.
A quick search of the 3PAR CLI manual was not promising.
While it does not discuss ssh downgrades, the following does discuss
how HPE implements 3PAR StorageServ security, including "HPE 3PAR
Central": https://www.hpe.com/psnow/doc/4AA3-7592ENW.pdf
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list