[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)

Bob Gezelter gezelter at rlgsc.com
Wed May 24 16:43:56 EDT 2023 

On Wednesday, May 24, 2023 at 10:39:08 AM UTC-4, HCorte wrote:
> Trying to connect to another machine using ssh but failing with error of: 
> 
> debug(24-MAY-2023 12:20:30.82): Remote version: SSH-2.0-OpenSSH_8.0 
> debug(24-MAY-2023 12:20:30.84): OpenSSH: Major: 8 Minor: 0 Revision: 0 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1825: All versions of OpenSSH handle kex guesses incorrectly. 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 20 to connection 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2756: >TR packet_type=20 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2318: lang s to c: `', lang c to s: `' 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2334: Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host 
> _key = ssh-rsa) 
> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection 
> debug(24-MAY-2023 12:20:30.85): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 1 to connection 
> debug(24-MAY-2023 12:20:30.85): Ssh2Common/SSHCOMMON.C:180: DISCONNECT received: Algorithm negotiation failed. 
> debug(24-MAY-2023 12:20:30.85): SshReadLine/SSHREADLINE.C:3728: Uninitializing ReadLine... 
> warning: Authentication failed. 
> debug(24-MAY-2023 12:20:30.85): Ssh2/SSH2.C:327: locally_generated = TRUE 
> Disconnected; key exchange or algorithm negotiation failed (Algorithm negotiation failed.). 
> 
> 
> ssh username at hostname -v 
> 
> what are the correct format for options in OpenVMS for the image tcpip$ssh_ssh-keygen2.exe?? 
> 
> the equivalent of unix command: 
> ssh -o "KexAlgorithms diffie-hellman-group1-sha1" -o "HostKeyAlgorithms ssh-dss" -o "Ciphers aes256-cbc" -i chaveprivada username at hostname 
> 
> also tried to change in the unix server to change sshd_config and added: 
> ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20... at openssh.com,aes256-cbc 
> KexAlgorithms curve255... at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
> macs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1 
> 
> as well hostkeyalgorithms ssh-dss 
> 
> but still fails with the error: 
> All versions of OpenSSH handle kex guesses incorrectly 
> Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host 
> _key = ssh-rsa 
> 
> here its confusing for me since if its been added "KexAlgorithms diffie-hellman-group1-sha1" in sshd_config of the unix system so OpenVMS should have stoped complaining about the KexAlgorithm... 
> 
> this attemp of changing sshd_config isn't a good option for security reasons but was to test if at least would fix in short term solution... 
> 
> Thanks
HCorte,

Been there; dealt with that.

First off, what is the version of OpenVMS and TCPIP?

The problem is most likely not SSH keygen. The "incompatibility" is that many linux and other platforms have had key exchange and cipher updates in the interim, and TCPIP services has been a tad lagging.

Enabling more detailed tracing will reveal which methods are acceptable to each system. If connecting from a more current host to an OpenVMS system, one can either specify older, and often deprecated, methods, either on the command line or in the hosts file. If connecting from the OpenVMS system, one probably has to modify the settings on the target system to accept the older methods.

- Bob Gezelter, http://www.rlgsc.com

More information about the Info-vax mailing list