Discussion:
TCPWare SSH client/server question
Add Reply
Chris Townley
2021-01-07 14:03:58 UTC
Reply
Permalink
Not sure if I am being silly, but I now have 2 nodes running tcpware
(TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
I have only enabled ssh2 connections.

If I connect from PC I connect fine, but if I connect from VMS, I get
the key exchange error

warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN

and I get prompted for password.

Looking at the file protections:

SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)

ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)

Seems OK to me, so I must be missing something.


Any suggestions?


Chris
Jim
2021-01-07 18:27:03 UTC
Reply
Permalink
Post by Chris Townley
Not sure if I am being silly, but I now have 2 nodes running tcpware
(TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
I have only enabled ssh2 connections.
If I connect from PC I connect fine, but if I connect from VMS, I get
the key exchange error
warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN
and I get prompted for password.
SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)
ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)
Seems OK to me, so I must be missing something.
Any suggestions?
Try removing all G and W access from both the directory and the key pair.
Chris Townley
2021-01-07 18:39:32 UTC
Reply
Permalink
Post by Jim
Post by Chris Townley
Not sure if I am being silly, but I now have 2 nodes running tcpware
(TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
I have only enabled ssh2 connections.
If I connect from PC I connect fine, but if I connect from VMS, I get
the key exchange error
warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN
and I get prompted for password.
SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)
ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)
Seems OK to me, so I must be missing something.
Any suggestions?
Try removing all G and W access from both the directory and the key pair.
Thanks, but exactly the same.

Chris
Chris Townley
2021-01-10 10:41:12 UTC
Reply
Permalink
Post by Chris Townley
Post by Jim
Post by Chris Townley
Not sure if I am being silly, but I now have 2 nodes running tcpware
(TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
I have only enabled ssh2 connections.
If I connect from PC I connect fine, but if I connect from VMS, I get
the key exchange error
warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN
and I get prompted for password.
SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)
ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)
Seems OK to me, so I must be missing something.
Any suggestions?
Try removing all G and W access from both the directory and the key pair.
Thanks, but exactly the same.
Chris
In fact the TCPWare manual specifically states that world read is
required on the public key.

I think a part of the problem is due to it being an RSA key - the SSH2
client seems not to support RSA keys, so working on that

Chris
Richard Whalen
2021-01-11 13:28:45 UTC
Reply
Permalink
Post by Chris Townley
Not sure if I am being silly, but I now have 2 nodes running tcpware
(TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
I have only enabled ssh2 connections.
If I connect from PC I connect fine, but if I connect from VMS, I get
the key exchange error
warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN
and I get prompted for password.
SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)
ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)
Seems OK to me, so I must be missing something.
Any suggestions?
Chris
Sounds like a configuration error to me. Try SSH/DEBUG=4 and look for the following section:

debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:65: kex_algorithms = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman
-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-g
roup1-sha1
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:66: host_key_algorithms = x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa
-sha2-nistp256,x509v3-ssh-dss,x509v3-ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-dss,x509v3-sign-rsa,ecdsa-sha2-nistp521,ecdsa-sha2-ni
stp384,ecdsa-sha2-nistp256,rsa2048-sha256,ssh-dss,ssh-rsa
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:67: ciphers_c_to_s = aes128-***@openssh.com,aes256-***@openssh.com,aes128-ctr,aes128-cbc,aes
192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:68: ciphers_s_to_c = aes128-***@openssh.com,aes256-***@openssh.com,aes128-ctr,aes128-cbc,aes
192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:69: macs_c_to_s = hmac-sha2-256,hmac-sha2-512,hmac-sha256,hmac-sha1,hmac-md5,none
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:70: macs_s_to_c = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,none
debug: (08:19:56)Ssh2Client/SSHCLIENT.C;5:1819: Creating transport protocol.
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:115: client_wrap already have params
debug: (08:19:56)Ssh2Transport/TRCOMMON.C;6:4319: available kex algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,di
ffie-hellman-group1-sha1
debug: (08:19:56)Ssh2Transport/TRCOMMON.C;6:4337: guessed kex ecdh-sha2-nistp256, host key x509v3-ecdsa-sha2-nistp521
debug: (08:19:56)SshProtoTrKex/TRKEX.C;4:1017: have SshKexType object for ecdh-sha2-nistp256

Also, make sure that both systems have recent SSHB patches.
- Correct an error in Group Exchange Key Exchange for group 18.
SSHB_V602P040 ECO Rank 3 8-Jul-2019
Chris Townley
2021-01-11 13:47:27 UTC
Reply
Permalink
Post by Richard Whalen
Post by Chris Townley
Not sure if I am being silly, but I now have 2 nodes running tcpware
(TCPware(R) V6.0-0 Copyright (c) Process Software, OpenVMS version V8.4-2L1)
I have only enabled ssh2 connections.
If I connect from PC I connect fine, but if I connect from VMS, I get
the key exchange error
warning: Could not read private key DKA100:[TOWNLEYC.SSH2]ID_RSA_MERLIN
and I get prompted for password.
SSH2.DIR;1 [CCT,TOWNLEYC] (RWE,RWE,RE,E)
ID_RSA_MERLIN.;2 [CCT,TOWNLEYC] (RW,RW,,)
ID_RSA_MERLIN.PUB;2 [CCT,TOWNLEYC] (RWED,RWED,RE,R)
Seems OK to me, so I must be missing something.
Any suggestions?
Chris
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:65: kex_algorithms = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman
-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-g
roup1-sha1
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:66: host_key_algorithms = x509v3-ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa
-sha2-nistp256,x509v3-ssh-dss,x509v3-ssh-rsa,x509v3-rsa2048-sha256,x509v3-sign-dss,x509v3-sign-rsa,ecdsa-sha2-nistp521,ecdsa-sha2-ni
stp384,ecdsa-sha2-nistp256,rsa2048-sha256,ssh-dss,ssh-rsa
192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,none
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:69: macs_c_to_s = hmac-sha2-256,hmac-sha2-512,hmac-sha256,hmac-sha1,hmac-md5,none
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:70: macs_s_to_c = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,none
debug: (08:19:56)Ssh2Client/SSHCLIENT.C;5:1819: Creating transport protocol.
debug: (08:19:56)Ssh2Trans/SSHTRANS.C;2:115: client_wrap already have params
debug: (08:19:56)Ssh2Transport/TRCOMMON.C;6:4319: available kex algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,di
ffie-hellman-group1-sha1
debug: (08:19:56)Ssh2Transport/TRCOMMON.C;6:4337: guessed kex ecdh-sha2-nistp256, host key x509v3-ecdsa-sha2-nistp521
debug: (08:19:56)SshProtoTrKex/TRKEX.C;4:1017: have SshKexType object for ecdh-sha2-nistp256
Also, make sure that both systems have recent SSHB patches.
- Correct an error in Group Exchange Key Exchange for group 18.
SSHB_V602P040 ECO Rank 3 8-Jul-2019
As I said further to this, I think the problem is due to it being an RSA
key - SSH2 client seems not to support RSA keys. Just the error message
is misleading - debug doesn't add to that.

At least TCPWare is more up to date than TCP/IP services...


Chris

Loading...