[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)

Craig A. Berry craigberry at nospam.mac.com
Thu May 25 07:38:54 EDT 2023 

On 5/25/23 5:08 AM, HCorte wrote:
> A quarta-feira, 24 de maio de 2023 à(s) 21:43:58 UTC+1, Bob Gezelter escreveu:
>> On Wednesday, May 24, 2023 at 10:39:08 AM UTC-4, HCorte wrote:
>>> Trying to connect to another machine using ssh but failing with error of:
>>>
>>> debug(24-MAY-2023 12:20:30.82): Remote version: SSH-2.0-OpenSSH_8.0
>>> debug(24-MAY-2023 12:20:30.84): OpenSSH: Major: 8 Minor: 0 Revision: 0
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1825: All versions of OpenSSH handle kex guesses incorrectly.
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 20 to connection
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2756: >TR packet_type=20
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2318: lang s to c: `', lang c to s: `'
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:2334: Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host
>>> _key = ssh-rsa)
>>> debug(24-MAY-2023 12:20:30.84): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 2 to connection
>>> debug(24-MAY-2023 12:20:30.85): Ssh2Transport/TRCOMMON.C:1113: Sending packet with type 1 to connection
>>> debug(24-MAY-2023 12:20:30.85): Ssh2Common/SSHCOMMON.C:180: DISCONNECT received: Algorithm negotiation failed.
>>> debug(24-MAY-2023 12:20:30.85): SshReadLine/SSHREADLINE.C:3728: Uninitializing ReadLine...
>>> warning: Authentication failed.
>>> debug(24-MAY-2023 12:20:30.85): Ssh2/SSH2.C:327: locally_generated = TRUE
>>> Disconnected; key exchange or algorithm negotiation failed (Algorithm negotiation failed.).
>>>
>>>
>>> ssh username at hostname -v
>>>
>>> what are the correct format for options in OpenVMS for the image tcpip$ssh_ssh-keygen2.exe??
>>>
>>> the equivalent of unix command:
>>> ssh -o "KexAlgorithms diffie-hellman-group1-sha1" -o "HostKeyAlgorithms ssh-dss" -o "Ciphers aes256-cbc" -i chaveprivada username at hostname
>>>
>>> also tried to change in the unix server to change sshd_config and added:
>>> ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20... at openssh.com,aes256-cbc
>>> KexAlgorithms curve255... at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>> macs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
>>>
>>> as well hostkeyalgorithms ssh-dss
>>>
>>> but still fails with the error:
>>> All versions of OpenSSH handle kex guesses incorrectly
>>> Couldn't agree on kex or hostkey alg. (chosen_kex = NULL, chosen_host
>>> _key = ssh-rsa
>>>
>>> here its confusing for me since if its been added "KexAlgorithms diffie-hellman-group1-sha1" in sshd_config of the unix system so OpenVMS should have stoped complaining about the KexAlgorithm...
>>>
>>> this attemp of changing sshd_config isn't a good option for security reasons but was to test if at least would fix in short term solution...
>>>
>>> Thanks
>> HCorte,
>>
>> Been there; dealt with that.
>>
>> First off, what is the version of OpenVMS and TCPIP?
>>
>> The problem is most likely not SSH keygen. The "incompatibility" is that many linux and other platforms have had key exchange and cipher updates in the interim, and TCPIP services has been a tad lagging.
>>
>> Enabling more detailed tracing will reveal which methods are acceptable to each system. If connecting from a more current host to an OpenVMS system, one can either specify older, and often deprecated, methods, either on the command line or in the hosts file. If connecting from the OpenVMS system, one probably has to modify the settings on the target system to accept the older methods.
>>
>> - Bob Gezelter, http://www.rlgsc.com
> 
> @Bob its a very old version of VMS (from what I was told in this forum in another post)
> $ SHOW SYSTEM
> OpenVMS V8.4
> 
> $ tcpip SHOW VERSION
>   HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.7 - ECO 2
>    on an HP rx3600  (1.67GHz/9.0MB) running OpenVMS V8.4
> 
> @Jim had already tried but the gives the same information and in the help (ssh -h)
> SSH Secure Shell OpenVMS (V5.5) 3.2.0 on HP rx3600  (1.67GHz/9.0MB) - VMS V8.4
> 
> Options:
> 
>    -l login_name  Log in using this user name.
> 
>    +x             Enable X11 connection forwarding (treat X11 clients as
>                   UNTRUSTED).
> 
>    +X             Enable X11 connection forwarding (treat X11 clients as
>                   TRUSTED).
> 
>    -x             Disable X11 connection forwarding.
> 
>    -i file        Identity file for public key authentication
> 
>    -F file        Read an alternative configuration file.
> 
>    -t             Tty; allocate a tty even if command is given.
> 
>    -v             Verbose; display verbose debugging messages. Equal to '-d 2'
> 
>    -d level       Set debug level.
> 
>    -V             Display version string.
> 
>    -q             Quiet; don't display any warning messages.
> 
>    -p port        Connect to this port.  Server must be on the same port.
> 
>    -S             Don't request a session channel.
> 
>    -L listen-port:host:port   Forward local port to remote address
> 
>    -R listen-port:host:port   Forward remote port to local address
> 
>                   These cause ssh to listen for connections on a port, and
>                   forward them to the other side by connecting to host:port.
> 
>    -4             Use IPv4 to connect.
> 
>    -6             Use IPv6 to connect.
> 
>    -o 'option'    Process the option as if it was read from a configuration
>                   file.
> 
>    -h             Display this help.
> 
> 
> 
> Command can be either:
> 
>    remote_command [arguments] ...    Run command in remote host.
> 
>    -s service                        Enable a service in remote server.
> 
> 
> 
> Supported ciphers:
> 
>    3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,twofish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,des-cbc at ssh.com,ca
> st128-cbc,rc2-cbc at ssh.com,arcfour,none
> 
> Supported MAC algorithms:
> 
>    hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha256 at ssh.com,hmac-sha256-96 at ssh.com,hmac-ripemd160 at ssh.com,hmac-ripemd160-96 at ss
> h.com,hmac-tiger128 at ssh.com,hmac-tiger128-96 at ssh.com,hmac-tiger160 at ssh.com,hmac-tiger160-96 at ssh.com,hmac-tiger192 at ssh.com,hmac-tiger
> 192-96 at ssh.com,none
> 
> How do I get a list of the Kex supported (Key Enchange Algorithm)??

Dunno about kex, but you can look at what's in the config at
SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG for ciphers and MAC
algorithms.  Sometimes it is possible to reorder or modify the limited
options available to avoid obsolete algorithms.

More information about the Info-vax mailing list