[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)

Rod Prince rod at novalid.com
Wed May 24 13:56:58 EDT 2023 

On 5/24/2023 10:39 AM, HCorte wrote:
> Trying to connect to another machine using ssh but failing with error of:
> 
> debug(24-MAY-2023 12:20:30.82): Remote version: SSH-2.0-OpenSSH_8.0
> debug(24-MAY-2023 12:20:30.84): OpenSSH: Major: 8 Minor: 0 Revision: 0
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1825: All versions of OpenSSH handle kex guesses incorrectly.
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 20 to connection
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2756: >TR packet_type=20
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2318: lang s to c: `', lang c to s: `'
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2334: Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host
> _key = ssh-rsa)
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection
> debug(24-MAY-2023 12:20:30.85): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 1 to connection
> debug(24-MAY-2023 12:20:30.85): Ssh2Common/SSHCOMMON.C:180: DISCONNECT received: Algorithm negotiation failed.
> debug(24-MAY-2023 12:20:30.85): SshReadLine/SSHREADLINE.C:3728: Uninitializing ReadLine...
> warning: Authentication failed.
> debug(24-MAY-2023 12:20:30.85): Ssh2/SSH2.C:327: locally_generated = TRUE
> Disconnected; key exchange or algorithm negotiation failed (Algorithm negotiation failed.).
> 
> 
> ssh username at hostname  -v
> 
> what are the correct format for options in OpenVMS for the image tcpip$ssh_ssh-keygen2.exe??
> 
> the equivalent of unix command:
> ssh -o "KexAlgorithms diffie-hellman-group1-sha1" -o "HostKeyAlgorithms ssh-dss" -o "Ciphers aes256-cbc" -i chaveprivada username at hostname
> 
> also tried to change in the unix server to change sshd_config and added:
> ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305 at openssh.com,aes256-cbc
> KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> macs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
> 
> as well hostkeyalgorithms ssh-dss
> 
> but still fails with the error:
> All versions of OpenSSH handle kex guesses incorrectly
> Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host
> _key = ssh-rsa
> 
> here its confusing for me since if its been added "KexAlgorithms diffie-hellman-group1-sha1" in sshd_config of the unix system so OpenVMS should have stoped complaining about the KexAlgorithm...
> 
> this attemp of changing sshd_config isn't a good option for security reasons but was to test if at least would fix in short term solution...
> 
> Thanks
> 

You might want to try enabling ssh-rsa for the HostkeyAlgorithms.

Recently went thru something similar trying to get a OpenVMS HPE 8.4 (with TCPIP v5.7-13ECO5) 
talking to a TrueNAS server via ssh.  Wanted to use sftp to push files over to the NAS storage device.

Normally I just have to downgrade the server to allow diffie-hellman-group1-sha1 & ssh-dss, but 
until I also allowed ssh-rsa it just would not work.  It appears that the TrueNAS side "accepts" the 
ssh-dss argument it just totally ignores it. The TrueNAS side still supports ssh-rsa and that is 
also supported on the VMS side.

I ended up with the following on my TrueNAS side

HostKeyAlgorithms=+ssh-dss,ssh-rsa
KexAlgorithms=+diffie-hellman-group1-sha1

Now I can't say if its secure or not, but then, its probably better than FTP which is the 
alternative to push a file (backup save set) over to the TrueNAS for storage.

Rod

More information about the Info-vax mailing list