[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)

Sat May 27 21:11:16 EDT 2023

> -----Original Message-----
> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Stephen
> Hoffman via Info-vax
> Sent: Friday, May 26, 2023 4:13 PM
> To: info-vax at rbnsn.com
> Cc: Stephen Hoffman <seaohveh at hoffmanlabs.invalid>
> Subject: Re: [Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree
> on kex or hostkey alg)
> 
> On 2023-05-26 14:17:03 +0000, HCorte said:
> 
> > A sexta-feira, 26 de maio de 2023 à(s) 10:02:39 UTC+1, Single Stage to
> > Orbit escreveu:
> >> On Thu, 2023-05-25 at 13:54 -0700, Bob Gezelter wrote:> >
> >> KexAlgorithms +diffie-hellman-group1-sha1> >    HostKeyAlgorithms
> >> +ssh-dss> >    Ciphers +aes128-cbc
> >> I'd be delighted if VSI updated OpenSSH to enable ed22519. I live in>
> >> hope some day :-D> --> Tactical Nuclear Kittens
> 
> OpenSSH version 6.5 and later offer ed22519, and—per the release notes—
> the OpenVMS version does support ed25519.
> 
> The OpenVMS OpenSSH port does not support ed25519-sk keys, which is
> related to FIDO / U2F authentication.  Which would be nice to have, yes.
> 
> > yes @Bob the prolem is in the server side,
> 
> The problem is with the OpenVMS server and with its administration.
> 
> > We tried to connect in another machine unix that has the version 7 of
> > ssh and it worked well, so now will be installed that version in the
> > final unix machine with a diferent port so the problem will be fixed
> > as was suggested here, thanks for all the feedback.
> 
> Old systems can and will fall behind, and network connections and services will
> fail as peers are kept (more) current. Inevitably.
> 

One option to address this is to adopt the commercial SSH package from Process Software. 
< https://www.process.com/products/ssh/>

Supports
- OpenVMS VAX 5.5-2 or higher
- OpenVMS Alpha 6.2 or higher
- OpenVMS Integrity 8.2 or higher

** Runs on any version of TCP/IP Services supported by HPE or VSI

Can also get a free evaluation kit from Process Software.

> > yes @Craig not gona install a new version of ssh in OpenVMS machine
> > don't know what kind of problems could/would arise from that and have
> > 0 experience in installing any software in VMS...
> 
> SSH connection downgrade scripts have gotten posted here on occasion.
> I've posted a template sethost shell script for macOS and other Unix and Linux
> platforms. That script allows systems with newer ssh easier access into
> outdated OpenVMS ssh configurations, and to outdated iLO ssh
> configurations. And easier telnet access, for those here connecting to the
> antediluvian stuff.
> 
> https://groups.google.com/g/comp.os.vms/c/DhT_TWepPJ8/m/ReiPhF25CA
> AJ
> 
> While previous OpenVMS régimes were sometimes slow to push out patches
> for SSH and TLS, VSI has been better about that.
> 
> From the HP era, TCP/IP Services V5.7-ECO5 or later will probably work here,
> too. That patch became available in 2014.
> 
> An OpenVMS Alpha server in production in 2023 should be running
> V8.4-2L1 or -2L2, with a plan underway to migrate to OpenVMS x86-64, or a
> plan to port the apps to Linux, Windows, or otherwise, or a plan to retire the
> server and its apps entirely.
> 
> Otherwise, and to paraphrase an aphorism from another context, if you look
> around the table and don't know who the designated scapegoat is, it's
> probably you.
> 

Regards,

Kerry Main
Kerry dot main at starkgaming dot com

-- 
This email has been checked for viruses by AVG antivirus software.
www.avg.com