ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

FOTS1406 SSH2 cipher error message is shown when trying to connect via SSH to a MOI appliance

book

Article ID: 238075

calendar_today

Updated On:

Products

Mainframe Operational Intelligence

Issue/Introduction

The Customer is able to create SSH keys (MLSS Manage option 1) for a MOI appliance - but when the Customer tries to issue a command the connects to the MOI appliance (like MLSS Manage option 2 Boot Log) the following message is displayed:
 
00000100 FOTS1406 /etc/ssh/ssh_config line 54: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,[email protected]lysator.liu.se,3des-cbc,aes256[email protected],[email protected]openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour'.                           00000200 

 

This Bad SSH2 cipher error message is occurring both from the MOI ISPF panels noted above and from attempted manual SSH'ing into the MOI Appliance. 

The Customer is making use of enhanced SSH2 security protocols versus Open SSH, and the ciphers listed in the error message above are considered to be weaker and are not supported by SSH2. 

Since MOI is generating the SSH keys for release 2.0.06 automatically, it is necessary to manually remove the weaker ciphers from the /etc/ssh/sshd_config file on the MOI appliance. 

The process contained in the resolution below was used by this Customer to identify the weaker ciphers by comparing the list of supported ciphers in OMVS to the cipher list in the MOI Appliance /etc/ssh/sshd_config file and then removing the ones that were no longer supported.  

 

 

Environment

Release : 2.0.06

Component : MF OPERATIONAL INTELLIGENCE

Resolution

The following two Linux commands were issued in OMVS to figure out the parameters for content of the sshd-config in the MOI Appliance  /etc/ssh directory:

 

>  ssh -Q cipher

3des-cbc                          

aes128-cbc                        

aes192-cbc                        

aes256-cbc                        

[email protected]        

aes128-ctr                        

aes192-ctr                        

aes256-ctr                        

[email protected]            

[email protected]            

[email protected]

 

>  ssh -Q mac

 hmac-sha1

hmac-sha1-96

hmac-sha2-256

hmac-sha2-512

hmac-md5

hmac-md5-96

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

 

 

Comparing this to the displayed cipher list in OMVS to the MOI appliance  /etc/ssh/sshd_config file cipher list showed these results: 

 

Removed the existing ciphers highlighted in yellow above by copying the the full cipher list in the  MOI Appliance /etc/ssh/sshd_config file,  commenting out the extra cipher lines, and then removing the unneeded ciphers from the uncommented lines in the /etc/ssh/sshd_config file highlighted in red below :    

 

# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],3des-cbc,[email protected],[email protected],arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],3des-cbc,[email protected],[email protected],[email protected]

# MACs [email protected],[email protected],[email protected],[email protected],hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,[email protected],[email protected],hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],hmac-ripemd160,[email protected]

MACs [email protected],[email protected],[email protected],[email protected],hmac-sha1,hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected]

This resolved the FOTS1406 Bad SSH2 cipher spec error message.

 

Attachments