00000100 FOTS1406 /etc/ssh/ssh_config line 54: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc, aes256-cbc,rijndael-cbc@ lysator.liu.se,3des-cbc,aes256 -gcm@openssh.com,aes128-gcm@ openssh.com,arcfour128, arcfour256,blowfish-cbc, cast128-cbc,arcfour'. 00000200
This Bad SSH2 cipher error message is occurring both from the MOI ISPF panels noted above and from attempted manual SSH'ing into the MOI Appliance.
The Customer is making use of enhanced SSH2 security protocols versus Open SSH, and the ciphers listed in the error message above are considered to be weaker and are not supported by SSH2.
Since MOI is generating the SSH keys for release 2.0.06 automatically, it is necessary to manually remove the weaker ciphers from the /etc/ssh/sshd_config file on the MOI appliance.
The process contained in the resolution below was used by this Customer to identify the weaker ciphers by comparing the list of supported ciphers in OMVS to the cipher list in the MOI Appliance /etc/ssh/sshd_config file and then removing the ones that were no longer supported.
Release : 2.0.06
Component : MF OPERATIONAL INTELLIGENCE
The following two Linux commands were issued in OMVS to figure out the parameters for content of the sshd-config in the MOI Appliance /etc/ssh directory:
> ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
> ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
Comparing this to the displayed cipher list in OMVS to the MOI appliance /etc/ssh/sshd_config file cipher list showed these results:
Removed the existing ciphers highlighted in yellow above by copying the the full cipher list in the MOI Appliance /etc/ssh/sshd_config file, commenting out the extra cipher lines, and then removing the unneeded ciphers from the uncommented lines in the /etc/ssh/sshd_config file highlighted in red below :
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
# MACs hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com
MACs hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com
This resolved the FOTS1406 Bad SSH2 cipher spec error message.