Azure DevOps hosted git, and Bastion, failing to negotiate encryption?

Nico Kadel-Garcia nkadel at gmail.com
Fri May 27 14:56:21 AEST 2022 

On Mon, May 23, 2022 at 5:07 AM Jochen Bern <Jochen.Bern at binect.de> wrote:
>
> On 21.05.22 01:41, Nico Kadel-Garcia wrote:
> > I'm dealing with Azure DevOps git services with which recent, security
> > hardened SSH clients on a RHEL 8 variant cannot stablish public-key
> > based  SSH links to the Azure Devops. Other RHEL 8 based systems work
> > well.
> >
> > Conversely, Azure Bastion cannot use Azure key vault stored private
> > SSH keys to access the same RHEL 8 based servers, though they can
> > reach other hosts with the same private key and the same public key.
> > I've also used the private SSH key, locally, to connect to the various
> > servers.

I figured out the Bastion problem. Generating keys and getting them
into the Azure key vault correctly can be a bit of an adventure. It
turns out that the "az keyvault" commands can get very peculiar about
handling quotes, and of course the "insert punctuation in new
passwords" requirements of Azure AD and it's linked ADDS can be....
adventuresome to script safely and consistently for integration with
configuration management tools.

The Azure DevOps git service issues are still a problem. I've not so
far found the distinction between the InterNIC published RHEL 8 images
and the Red Hat published RHEL 8 images that trigger this issue. I do
like  I do like your suggestion of poking the 'ssh -v -o
"KexAlgorithms +diffie-hellman-group14-sha1" -o "HostKeyAlgorithms
+ssh-rsa" ' settings, and will do so ASAP. That thought.... makes
sense.

Nico Kadel-Garcia

> In my experience, if you can run a plain "ssh -v" as the client, the
> output *does* include details about the problem *somewhere*. To wit:
>
> > $ ssh -v root at SomeOldBox
> [...]
> > Unable to negotiate with SomeOldBox port 22: no matching key exchange >    method found. Their offer: diffie-hellman-group-exchange-sha1,>
>      diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>
> > $ ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1" root at SomeOldBox
> [...]
> > Unable to negotiate with SomeOldBox port 22: no matching
> >    host key type found. Their offer: ssh-rsa,ssh-dss
>
> > $ ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1"
> >    -o "HostKeyAlgorithms +ssh-rsa" root at SomeOldBox
> [...]
> > Unable to negotiate with SomeOldBox port 22: no matching MAC found.
> >    Their offer: hmac-md5,hmac-sha1,hmac-ripemd160,
> >       hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> etc. etc.. If I had to *guess*, I'd say that the dissent is about the
> key vault somehow offering (only) ssh-rsa while the hardened RHEL now
> insists on rsa-sha2-* for a key algorithm ...
>
> Regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list