ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

SFTP failing on 7.4

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SFTP failing on 7.4

    Hi

    We recently upgraded to a new power 9 box running 7.4, and SFTP (client, we do not runn the server) now fails with;

    debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
    debug1: kex: host key algorithm: rsa-sha2-512
    Unable to negotiate with nnn.nn.nnn.nn port 22: no matching cipher found. Their offer: aes256-cbc,aes128-cbc,blowfish-cbc,3des-cbc,cast128-cbc

    We are just using password authentication, which still works fine on our old power 8 box on 7.2.

    We have implemented older protocols and ciphers using system values QSSLCSL, QSSLCSLCTL, QSSLPCL , and TLSCONFIG (in SST)

    Has anyone come across this before, or has any idea where I might look next.



  • #2
    SFTP doesn't use SSL/TLS, it uses the SSH protocol. Thoae system values don't apply.

    Instead, you'll want to edit your /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_config file .. note that lines beginning with # are commented-out. You'll need to use the Ciphers directive to enable the ciphers that the remote host needs.

    Here's a quote from the manual page for ssh_config:

    Code:
    Ciphers
                 Specifies the ciphers allowed and their order of
                 preference.  Multiple ciphers must be comma-separated.  If
                 the specified list begins with a ‘+’ character, then the
                 specified ciphers will be appended to the default set
                 instead of replacing them.  If the specified list begins
                 with a ‘-’ character, then the specified ciphers (including
                 wildcards) will be removed from the default set instead of
                 replacing them.  If the specified list begins with a ‘^’
                 character, then the specified ciphers will be placed at the
                 head of the default set.
    
                 The supported ciphers are:
    
                       3des-cbc
                       aes128-cbc
                       aes192-cbc
                       aes256-cbc
                       aes128-ctr
                       aes192-ctr
                       aes256-ctr
                       aes128-gcm@openssh.com
                       aes256-gcm@openssh.com
                       chacha20-poly1305@openssh.com
    
                 The default is:
    
                       chacha20-poly1305@openssh.com,
                       aes128-ctr,aes192-ctr,aes256-ctr,
                       aes128-gcm@openssh.com,aes256-gcm@openssh.com
    
                 The list of available ciphers may also be obtained using
                 "ssh -Q cipher".
    Note that the ones it is offering are pretty weak -- not particularly secure. Of those, I would recommend aes256-cbc. I would definitaly think twice before enabling blowfish or 3des, as those are very old and insecure.

    Comment


    • #3
      Thanks Scott, much appreciated.

      Comment

      Working...
      X