[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)

HCorte hmmbcorte at gmail.com
Thu May 25 09:18:08 EDT 2023 

A quinta-feira, 25 de maio de 2023 à(s) 13:09:51 UTC+1, Jim escreveu:
> On Thursday, May 25, 2023 at 7:38:59 AM UTC-4, Craig A. Berry wrote: 
> > On 5/25/23 5:08 AM, HCorte wrote: 
> > > 
> > > How do I get a list of the Kex supported (Key Enchange Algorithm)?? 
> > Dunno about kex, but you can look at what's in the config at 
> > SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG for ciphers and MAC 
> > algorithms. Sometimes it is possible to reorder or modify the limited 
> > options available to avoid obsolete algorithms.
> If this version of TCP supports it, the method for affecting which KEXs are 
> to be supported if the defaults are not desired would be with a KEXs 
> directive in the SSHD2_CONFIG. file. Something like this: 
> 
> KEXs ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 
> ,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256 
> 
> I suspect that the only way to see which KEXs are currently being offered 
> by client and server would be to use TCPDUMP or equivalent. The KEX 
> algorithm list (along with cipher and MAC) are exchange in plain text 
> early on in the SSH handshake. The KEX are first in each end's option 
> bundle. The algorithm list is comma separated. KEXs end and ciphers 
> begin where you see a small break in the comma separated list. There 
> will be a null byte or two... you'll find an algorithm list being offered from 
> both the client and the server prior to their agreement.

@Jim, was able to get more debug verbosity level

ssh username at hostname -d 4

debug(25-MAY-2023 12:25:28.40): Ssh2Transport/TRCOMMON.C:2165: client: kex = diffie-hellman-group1-sha1, hk_alg
 = ssh-dss,ssh-rsa,x509v3-sign-dss,x509v3-sign-rsa

debug(25-MAY-2023 12:25:28.40): Ssh2Transport/TRCOMMON.C:2167: server: kex = curve25519-sha256,curve25519-sha25
6 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diff
ie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exch
ange-sha1,diffie-hellman-group14-sha1, hk_alg = rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed255
19

have to talk to a collegue to insert again diffie-hellman-group1-sha1 into sshd_config in unix system to check what message returns now with this level of verbosity, to see if this kex will also start to appear in the server kex as well.

@Craig

type SSHD2_CONFIG.;3
...
## Crypto

    Ciphers                             AnyCipher
...
    MACs                                AnyMAC
...


But with the command "ssh -h"

add already given me those list:

Supported ciphers:

3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,twofish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,des... at ssh.com,ca
st128-cbc,rc2... at ssh.com,arcfour,none

Supported MAC algorithms:

hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-... at ssh.com,hmac-sh... at ssh.com,hmac-ri... at ssh.com,hmac-ripemd160-96 at ss
h.com,hmac-t... at ssh.com,hmac-tig... at ssh.com,hmac-t... at ssh.com,hmac-tig... at ssh.com,hmac-t... at ssh.com,hmac-tiger
192... at ssh.com,none

but add already tried with a collegue to added some of this to the unix sshd_config file with no sucess in fixing, but more verbosity in the debbug will try to see if something changes.

More information about the Info-vax mailing list