[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)
Rod Prince
rod at novalid.com
Wed May 24 13:56:58 EDT 2023
On 5/24/2023 10:39 AM, HCorte wrote:
> Trying to connect to another machine using ssh but failing with error of:
>
> debug(24-MAY-2023 12:20:30.82): Remote version: SSH-2.0-OpenSSH_8.0
> debug(24-MAY-2023 12:20:30.84): OpenSSH: Major: 8 Minor: 0 Revision: 0
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1825: All versions of OpenSSH handle kex guesses incorrectly.
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 20 to connection
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2756: >TR packet_type=20
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2318: lang s to c: `', lang c to s: `'
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2334: Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host
> _key = ssh-rsa)
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection
> debug(24-MAY-2023 12:20:30.85): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 1 to connection
> debug(24-MAY-2023 12:20:30.85): Ssh2Common/SSHCOMMON.C:180: DISCONNECT received: Algorithm negotiation failed.
> debug(24-MAY-2023 12:20:30.85): SshReadLine/SSHREADLINE.C:3728: Uninitializing ReadLine...
> warning: Authentication failed.
> debug(24-MAY-2023 12:20:30.85): Ssh2/SSH2.C:327: locally_generated = TRUE
> Disconnected; key exchange or algorithm negotiation failed (Algorithm negotiation failed.).
>
>
> ssh username at hostname -v
>
> what are the correct format for options in OpenVMS for the image tcpip$ssh_ssh-keygen2.exe??
>
> the equivalent of unix command:
> ssh -o "KexAlgorithms diffie-hellman-group1-sha1" -o "HostKeyAlgorithms ssh-dss" -o "Ciphers aes256-cbc" -i chaveprivada username at hostname
>
> also tried to change in the unix server to change sshd_config and added:
> ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305 at openssh.com,aes256-cbc
> KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> macs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
>
> as well hostkeyalgorithms ssh-dss
>
> but still fails with the error:
> All versions of OpenSSH handle kex guesses incorrectly
> Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host
> _key = ssh-rsa
>
> here its confusing for me since if its been added "KexAlgorithms diffie-hellman-group1-sha1" in sshd_config of the unix system so OpenVMS should have stoped complaining about the KexAlgorithm...
>
> this attemp of changing sshd_config isn't a good option for security reasons but was to test if at least would fix in short term solution...
>
> Thanks
>
You might want to try enabling ssh-rsa for the HostkeyAlgorithms.
Recently went thru something similar trying to get a OpenVMS HPE 8.4 (with TCPIP v5.7-13ECO5)
talking to a TrueNAS server via ssh. Wanted to use sftp to push files over to the NAS storage device.
Normally I just have to downgrade the server to allow diffie-hellman-group1-sha1 & ssh-dss, but
until I also allowed ssh-rsa it just would not work. It appears that the TrueNAS side "accepts" the
ssh-dss argument it just totally ignores it. The TrueNAS side still supports ssh-rsa and that is
also supported on the VMS side.
I ended up with the following on my TrueNAS side
HostKeyAlgorithms=+ssh-dss,ssh-rsa
KexAlgorithms=+diffie-hellman-group1-sha1
Now I can't say if its secure or not, but then, its probably better than FTP which is the
alternative to push a file (backup save set) over to the TrueNAS for storage.
Rod
More information about the Info-vax
mailing list