[Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree on kex or hostkey alg)

HCorte hmmbcorte at gmail.com
Wed May 31 06:45:09 EDT 2023 

A domingo, 28 de maio de 2023 à(s) 02:15:35 UTC+1, kemain... at gmail.com escreveu:
> > -----Original Message----- 
> > From: Info-vax <info-vax... at rbnsn.com> On Behalf Of Stephen 
> > Hoffman via Info-vax 
> > Sent: Friday, May 26, 2023 4:13 PM 
> > To: info... at rbnsn.com 
> > Cc: Stephen Hoffman <seao... at hoffmanlabs.invalid> 
> > Subject: Re: [Info-vax] VMS SSH2 - tcpip$ssh_ssh-keygen2.exe (Couldn't agree 
> > on kex or hostkey alg) 
> > 
> > On 2023-05-26 14:17:03 +0000, HCorte said: 
> > 
> > > A sexta-feira, 26 de maio de 2023 à(s) 10:02:39 UTC+1, Single Stage to 
> > > Orbit escreveu: 
> > >> On Thu, 2023-05-25 at 13:54 -0700, Bob Gezelter wrote:> > 
> > >> KexAlgorithms +diffie-hellman-group1-sha1> > HostKeyAlgorithms 
> > >> +ssh-dss> > Ciphers +aes128-cbc 
> > >> I'd be delighted if VSI updated OpenSSH to enable ed22519. I live in> 
> > >> hope some day :-D> --> Tactical Nuclear Kittens 
> > 
> > OpenSSH version 6.5 and later offer ed22519, and—per the release notes— 
> > the OpenVMS version does support ed25519. 
> > 
> > The OpenVMS OpenSSH port does not support ed25519-sk keys, which is 
> > related to FIDO / U2F authentication. Which would be nice to have, yes. 
> > 
> > > yes @Bob the prolem is in the server side, 
> > 
> > The problem is with the OpenVMS server and with its administration. 
> > 
> > > We tried to connect in another machine unix that has the version 7 of 
> > > ssh and it worked well, so now will be installed that version in the 
> > > final unix machine with a diferent port so the problem will be fixed 
> > > as was suggested here, thanks for all the feedback. 
> > 
> > Old systems can and will fall behind, and network connections and services will 
> > fail as peers are kept (more) current. Inevitably. 
> >
> One option to address this is to adopt the commercial SSH package from Process Software. 
> < https://www.process.com/products/ssh/> 
> 
> Supports 
> - OpenVMS VAX 5.5-2 or higher 
> - OpenVMS Alpha 6.2 or higher 
> - OpenVMS Integrity 8.2 or higher 
> 
> ** Runs on any version of TCP/IP Services supported by HPE or VSI 
> 
> Can also get a free evaluation kit from Process Software.
> > > yes @Craig not gona install a new version of ssh in OpenVMS machine 
> > > don't know what kind of problems could/would arise from that and have 
> > > 0 experience in installing any software in VMS... 
> > 
> > SSH connection downgrade scripts have gotten posted here on occasion. 
> > I've posted a template sethost shell script for macOS and other Unix and Linux 
> > platforms. That script allows systems with newer ssh easier access into 
> > outdated OpenVMS ssh configurations, and to outdated iLO ssh 
> > configurations. And easier telnet access, for those here connecting to the 
> > antediluvian stuff. 
> > 
> > https://groups.google.com/g/comp.os.vms/c/DhT_TWepPJ8/m/ReiPhF25CA 
> > AJ 
> > 
> > While previous OpenVMS régimes were sometimes slow to push out patches 
> > for SSH and TLS, VSI has been better about that. 
> > 
> > From the HP era, TCP/IP Services V5.7-ECO5 or later will probably work here, 
> > too. That patch became available in 2014. 
> > 
> > An OpenVMS Alpha server in production in 2023 should be running 
> > V8.4-2L1 or -2L2, with a plan underway to migrate to OpenVMS x86-64, or a 
> > plan to port the apps to Linux, Windows, or otherwise, or a plan to retire the 
> > server and its apps entirely. 
> > 
> > Otherwise, and to paraphrase an aphorism from another context, if you look 
> > around the table and don't know who the designated scapegoat is, it's 
> > probably you. 
> >
> Regards, 
> 
> Kerry Main 
> Kerry dot main at starkgaming dot com 
> 
> 
> 
> 
> -- 
> This email has been checked for viruses by AVG antivirus software. 
> www.avg.com


its seems that beside the changes made to /etc/ssh/sshd_config (kex,ciphers,mac's), 
it also need to change the /etc/sysconfig/sshd and uncomment the line
CRYPTO_POLICY=

from there is worked even with the ssh v8 in the server, so it was /etc/sysconfig/sshd file that missing that change to fix it.


files changed needed to make it work:
/etc/ssh/sshd_config
/etc/sysconfig/sshd

More information about the Info-vax mailing list