Azure DevOps hosted git, and Bastion, failing to negotiate encryption?

Jochen Bern Jochen.Bern at binect.de
Mon May 23 19:07:07 AEST 2022 

On 21.05.22 01:41, Nico Kadel-Garcia wrote:
> I'm dealing with Azure DevOps git services with which recent, security
> hardened SSH clients on a RHEL 8 variant cannot stablish public-key
> based  SSH links to the Azure Devops. Other RHEL 8 based systems work
> well.
> 
> Conversely, Azure Bastion cannot use Azure key vault stored private
> SSH keys to access the same RHEL 8 based servers, though they can
> reach other hosts with the same private key and the same public key.
> I've also used the private SSH key, locally, to connect to the various
> servers.

In my experience, if you can run a plain "ssh -v" as the client, the 
output *does* include details about the problem *somewhere*. To wit:

> $ ssh -v root at SomeOldBox
[...]
> Unable to negotiate with SomeOldBox port 22: no matching key exchange >    method found. Their offer: diffie-hellman-group-exchange-sha1,> 
     diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

> $ ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1" root at SomeOldBox
[...]
> Unable to negotiate with SomeOldBox port 22: no matching
>    host key type found. Their offer: ssh-rsa,ssh-dss

> $ ssh -v -o "KexAlgorithms +diffie-hellman-group14-sha1"
>    -o "HostKeyAlgorithms +ssh-rsa" root at SomeOldBox
[...]
> Unable to negotiate with SomeOldBox port 22: no matching MAC found.
>    Their offer: hmac-md5,hmac-sha1,hmac-ripemd160,
>       hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
etc. etc.. If I had to *guess*, I'd say that the dissent is about the 
key vault somehow offering (only) ssh-rsa while the hardened RHEL now 
insists on rsa-sha2-* for a key algorithm ...

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220523/6523fc4f/attachment-0001.p7s>

More information about the openssh-unix-dev mailing list