On Mon, May 23, 2022 at 5:07 AM Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote: > > On 21.05.22 01:41, Nico Kadel-Garcia wrote: > > I'm dealing with Azure DevOps git services with which recent, security > > hardened SSH clients on a RHEL 8 variant cannot stablish public-key > > based SSH links to the Azure Devops. Other RHEL 8 based systems work > > well. > > > > Conversely, Azure Bastion cannot use Azure key vault stored private > > SSH keys to access the same RHEL 8 based servers, though they can > > reach other hosts with the same private key and the same public key. > > I've also used the private SSH key, locally, to connect to the various > > servers. I figured out the Bastion problem. Generating keys and getting them into the Azure key vault correctly can be a bit of an adventure. It turns out that the "az keyvault" commands can get very peculiar about handling quotes, and of course the "insert punctuation in new passwords" requirements of Azure AD and it's linked ADDS can be.... adventuresome to script safely and consistently for integration with configuration management tools. The Azure DevOps git service issues are still a problem. I've not so far found the distinction between the InterNIC published RHEL 8 images and the Red Hat published RHEL 8 images that trigger this issue. I do like I do like your suggestion of poking the 'ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1" -o "HostKeyAlgorithms +ssh-rsa" ' settings, and will do so ASAP. That thought.... makes sense. Nico Kadel-Garcia > In my experience, if you can run a plain "ssh -v" as the client, the > output *does* include details about the problem *somewhere*. To wit: > > > $ ssh -v root@SomeOldBox > [...] > > Unable to negotiate with SomeOldBox port 22: no matching key exchange > method found. Their offer: diffie-hellman-group-exchange-sha1,> > diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > > $ ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1" root@SomeOldBox > [...] > > Unable to negotiate with SomeOldBox port 22: no matching > > host key type found. Their offer: ssh-rsa,ssh-dss > > > $ ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1" > > -o "HostKeyAlgorithms +ssh-rsa" root@SomeOldBox > [...] > > Unable to negotiate with SomeOldBox port 22: no matching MAC found. > > Their offer: hmac-md5,hmac-sha1,hmac-ripemd160, > > hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 > etc. etc.. If I had to *guess*, I'd say that the dissent is about the > key vault somehow offering (only) ssh-rsa while the hardened RHEL now > insists on rsa-sha2-* for a key algorithm ... > > Regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
