Chris,
Ciphers +aes256-cbc,aes192-cbc,aes128-cbc
This worked.
Thanks
Paul
-----Original Message-----
From: Christopher Bipes <chris.bipes@xxxxxxxxxxxxxxx>
Sent: Tuesday, September 24, 2019 12:54 PM
To: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>; 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing
First off I am running V7R1 and still support all the weaker SSL communications for legacy POS equipment.
Here is the entire file:
# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $
# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page.
# Host *
HostKeyAlgorithms +ssh-dss
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Ciphers +aes256-cbc,aes192-cbc,aes128-cbc
# MACs hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
Chris Bipes
Director of Information Services
CrossCheck, Inc.
707.665.2100, ext. 1102 - 707.793.5700 FAX chris.bipes@xxxxxxxxxxxxxxx www.cross-check.com Notice of Confidentiality: This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by e-mail (by replying to this message) or telephone (noted above) and permanently delete the original and any copy of any e-mail and any printout thereof. Thank you for your cooperation with respect to this matter.
-----Original Message-----
From: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Sent: Tuesday, September 24, 2019 9:39 AM
To: Christopher Bipes <chris.bipes@xxxxxxxxxxxxxxx>; 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing
Chris,
I added
Cipher +aes256-cbc,aes192-cbc,aes128-cbc
/QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/ssh_config line 52: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc'
Can you please re-confirm your Cipher spec?
Thanks
Paul
-----Original Message-----
From: Christopher Bipes <chris.bipes@xxxxxxxxxxxxxxx>
Sent: Tuesday, September 24, 2019 11:09 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: RE: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing
This is the same problem I had last week. I also had to add:
Cipher +aes256-cbc,aes192-cbc,aes128-cbc to the same configuration file.
I was given this link by a business partner who uses IPSwitch products and their support gave it to them:
https://www.openssh.com/legacy.html
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Steinmetz, Paul via MIDRANGE-L
Sent: Tuesday, September 24, 2019 7:50 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: 5733SC1 PTF SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm - multiple production SFTP failing now failing
IPL with SI70819 upgraded OpenSSH disabling ssh-dss (DSA) public key algorithm.
Multiple production SFTP failing.
Unable to negotiate with xxx.xxx.xxx.xx port 22: no matching host key type found. Their offer: ssh-dss
Remote sites either need to upgrade
Or
Re-enable ssh-dss using the HostKeyAlgorithms configuration option:
ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost
or
in the configuration file
WRKLNK '/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_config'
and add these to entries to the ssh_config file.
Host somehost.example.org --> the host name you use to connect/ip address
HostKeyAlgorithms +ssh-dss
Anyone else having these issues?
Which work around have others used?
midrange.com
