FOTS1406 SSH2 cipher error message is shown when trying to connect via SSH to a MOI appliance

Products

Mainframe Operational Intelligence

Issue/Introduction

The Customer is able to create SSH keys (MLSS Manage option 1) for a MOI appliance - but when the Customer tries to issue a command the connects to the MOI appliance (like MLSS Manage option 2 Boot Log) the following message is displayed:

00000100 FOTS1406 /etc/ssh/ssh_config line 54: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour'.                           00000200

This Bad SSH2 cipher error message is occurring both from the MOI ISPF panels noted above and from attempted manual SSH'ing into the MOI Appliance.

The Customer is making use of enhanced SSH2 security protocols versus Open SSH, and the ciphers listed in the error message above are considered to be weaker and are not supported by SSH2.

Since MOI is generating the SSH keys for release 2.0.06 automatically, it is necessary to manually remove the weaker ciphers from the /etc/ssh/sshd_config file on the MOI appliance.

The process contained in the resolution below was used by this Customer to identify the weaker ciphers by comparing the list of supported ciphers in OMVS to the cipher list in the MOI Appliance /etc/ssh/sshd_config file and then removing the ones that were no longer supported.

Environment

Release : 2.0.06

Component : MF OPERATIONAL INTELLIGENCE

Resolution

The following two Linux commands were issued in OMVS to figure out the parameters for content of the sshd-config in the MOI Appliance /etc/ssh directory:

> ssh -Q cipher

3des-cbc

aes128-cbc

aes192-cbc

aes256-cbc

rijndael-cbc@lysator.liu.se

aes128-ctr

aes192-ctr

aes256-ctr

aes128-gcm@openssh.com

aes256-gcm@openssh.com

chacha20-poly1305@openssh.com

> ssh -Q mac

hmac-sha1

hmac-sha1-96

hmac-sha2-256

hmac-sha2-512

hmac-md5

hmac-md5-96

umac-64@openssh.com

umac-128@openssh.com

hmac-sha1-etm@openssh.com

hmac-sha1-96-etm@openssh.com

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-md5-etm@openssh.com

hmac-md5-96-etm@openssh.com

umac-64-etm@openssh.com

umac-128-etm@openssh.com

Comparing this to the displayed cipher list in OMVS to the MOI appliance /etc/ssh/sshd_config file cipher list showed these results:

Removed the existing ciphers highlighted in yellow above by copying the the full cipher list in the MOI Appliance /etc/ssh/sshd_config file, commenting out the extra cipher lines, and then removing the unneeded ciphers from the uncommented lines in the /etc/ssh/sshd_config file highlighted in red below :

# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com

# MACs hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com

MACs hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com

This resolved the FOTS1406 Bad SSH2 cipher spec error message.