Establishing an outbound SSH session from Photon OS virtual machines to any target fails with the error "ssh_dispatch_run_fatal".
search cancel

Establishing an outbound SSH session from Photon OS virtual machines to any target fails with the error "ssh_dispatch_run_fatal".

book

Article ID: 382482

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid

Issue/Introduction

While trying to take attempting to open a ssh connection from Photon OS VM it fails. 

$ admin@test [ ~ ]$ ssh [email protected]
ssh_dispatch_run_fatal: Connection to 172.16.0.2 port 22: invalid argument

Ping communication is OK.
$ admin@test [ ~ ]$ ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=49 time=3.05 ms
64 bytes from 172.16.0.2: icmp_seq=2 ttl=49 time=3.10 ms
64 bytes from 172.16.0.2: icmp_seq=3 ttl=49 time=3.04 ms
^C
--- 172.16.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms

Environment

Photon OS 4.x, 5.x

Cause

This occurs on OpenSSL FIPS  enabled  VM.

The default cipher list used by the SSH client is: "[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]"

The first cipher in this list, [email protected], is not supported by OpenSSL in FIPS mode. Consequently, OpenSSL in FIPS mode raises an error immediately rather than allowing a fallback to the next cipher, which causes the connection error.

Resolution

 Add the cipher Ciphers aes128-ctr to the ssh config and restart the ssh daemon by following the below steps

  1. Login as root to the VM
  2. Edit the /etc/ssh/ssh_config file
  3. Add the line Ciphers aes128-ctr to the bottom of the file. [It forces the ssh to use Cipher aes128-ctr while establishing ssh]
  4. systemctl restart sshd

Workaround:

Open SSH connection by specifying the cipher aes128-ctr

ssh username@IP -c aes128-ctr