Automated Testing

  • 1.  SSH on ADCD Systems

    Posted Fri December 09, 2022 03:11 PM

    We are implementing SSH on an ADCD system, but cannot get it working. We have compared the ADCD system to another z/OS system where SSH is working. Everything seems to be set up properly on the ADCD system, but after the SSH connection is established we get the following error.

        kex_exchange_identification: Connection closed by remote host

    However, if I look at the output the RSA key is accepted.

        We have done the following to debug this issue:
        Verified that the permissions on /etc/ssh directory are the same on both systems.
        Verified the extended attributes for all files under /etc/ssh.
        Verified that the file permissions under /etc/ssh are the same on both systems.
        Verified that the /etc/ssh/sshd.sh script is the same on both systems.
        Verified that the OpenSSH levels are the same on both systems.
        Verified the RACF security profiles on both systems for SSH User IDs, Groups, and Facilities.
        Verified that only SSH is using the configured port in the TCP Parameters file.
        Verified that the SSH port is open and is in listen state on USS.
        Tried to SSH in over a different port.
        Compared the SSH setup on both systems. They appear to be identical.
        Set up a trace, but did not get further information from that.
        Set up SSH from scratch.

    Has anyone successfully implemented SSH on an ADCD system or does anyone have any ideas regarding this issue?

    Thanks,

    Phyllis




    ------------------------------
    Phyllis Cox
    ------------------------------


  • 2.  RE: SSH on ADCD Systems

    IBM Champion
    Posted Mon December 12, 2022 03:30 AM
    Phyllis,

    The connection closed by remote host sounds like a problem at the other end. Check for messages there.

    Can you get a wireshark trace of the session?  as this often has a bit more information about the problem, - and at least identify which part of the handshake is not working.
    If so, get one from working and non working systems.  If you send them to me, I can help you look at them.

    Possible problems
    1. The client does not have the CA from the host, so the client  cannot validate what was sent down.
    2. The client does not have an acceptable certificate (if client authentication is being used), for example an RSA  certificate is being requested - and the client only has an  Elliptic curve.
    3. The client has been configured not to accept certain cipher specs.   But if it works on one,system it should work on another system.
    Colin



    Original Message