[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)
Jim
mckinneyj at leidos.com
Thu May 25 08:09:49 EDT 2023
On Thursday, May 25, 2023 at 7:38:59 AM UTC-4, Craig A. Berry wrote:
> On 5/25/23 5:08 AM, HCorte wrote:
> >
> > How do I get a list of the Kex supported (Key Enchange Algorithm)??
> Dunno about kex, but you can look at what's in the config at
> SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG for ciphers and MAC
> algorithms. Sometimes it is possible to reorder or modify the limited
> options available to avoid obsolete algorithms.
If this version of TCP supports it, the method for affecting which KEXs are
to be supported if the defaults are not desired would be with a KEXs
directive in the SSHD2_CONFIG. file. Something like this:
KEXs ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256
I suspect that the only way to see which KEXs are currently being offered
by client and server would be to use TCPDUMP or equivalent. The KEX
algorithm list (along with cipher and MAC) are exchange in plain text
early on in the SSH handshake. The KEX are first in each end's option
bundle. The algorithm list is comma separated. KEXs end and ciphers
begin where you see a small break in the comma separated list. There
will be a null byte or two... you'll find an algorithm list being offered from
both the client and the server prior to their agreement.
More information about the Info-vax
mailing list