× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2019

RE: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing

First off I am running V7R1 and still support all the weaker SSL communications for legacy POS equipment.

Here is the entire file:
# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
HostKeyAlgorithms +ssh-dss
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Ciphers +aes256-cbc,aes192-cbc,aes128-cbc
# MACs hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no



Chris Bipes
Director of Information Services
CrossCheck, Inc.

707.665.2100, ext. 1102 - 707.793.5700 FAX
chris.bipes@xxxxxxxxxxxxxxx
www.cross-check.com
Notice of Confidentiality: This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information.  If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited.  If you have received this e-mail in error, please immediately notify me by e-mail (by replying to this message) or telephone (noted above) and permanently delete the original and any copy of any e-mail and any printout thereof.  Thank you for your cooperation with respect to this matter.


-----Original Message-----
From: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Sent: Tuesday, September 24, 2019 9:39 AM
To: Christopher Bipes <chris.bipes@xxxxxxxxxxxxxxx>; 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing

Chris,

I added
Cipher +aes256-cbc,aes192-cbc,aes128-cbc

/QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/ssh_config line 52: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc'

Can you please re-confirm your Cipher spec?

Thanks
Paul


-----Original Message-----
From: Christopher Bipes <chris.bipes@xxxxxxxxxxxxxxx>
Sent: Tuesday, September 24, 2019 11:09 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: RE: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing

This is the same problem I had last week. I also had to add:
Cipher +aes256-cbc,aes192-cbc,aes128-cbc to the same configuration file.

I was given this link by a business partner who uses IPSwitch products and their support gave it to them:
https://www.openssh.com/legacy.html




Chris Bipes
Director of Information Services
CrossCheck, Inc.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Steinmetz, Paul via MIDRANGE-L
Sent: Tuesday, September 24, 2019 7:50 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing

IPL with SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm.
Multiple production SFTP failing.
Unable to negotiate with xxx.xxx.xxx.xx port 22: no matching host key type found. Their offer: ssh-dss

Remote sites either need to upgrade
Or
Re-enable ssh-dss using the HostKeyAlgorithms configuration option:

ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost

or

in the configuration file

WRKLNK '/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_config'

and add these to entries to the ssh_config file.

Host somehost.example.org --> the host name you use to connect/ip address

HostKeyAlgorithms +ssh-dss

Anyone else having these issues?
Which work around have others used?


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.