Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.
By default, Command Central 10.7 and higher uses strong key exchange methods that meet the current security requirements for SSH connections. Command Central allows the following key exchange methods (listed in order of priority): diffie-hellman-group14-sha256 (highest), diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha1 (lowest).
Only when required by the environment, you can also configure Command Central to allow the following key exchange methods, which are disabled by default, because they are weak:
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1
For details about how to enable these additional key exchange methods in Command Central, see the Command Central Help.
If the OpenSSH server is not configured to use any of the key exchange methods allowed by Command Central, you can update the server configuration to accept one or more of the allowed methods. Note that Command Central 10.11 and lower supports OpenSSH version 8.7 and lower.
Locate the configuration file of the OpenSSH server.
By default, the configuration file is located in the following directory:
C:\ProgramData\SSH\sshd_config on machines running on Windows
/etc/ssh/sshd_config on machines running on UNIX
Open the configuration file as root (UNIX) or Administrator (Windows).
Add one of the following lines:
To add key exchange methods to the default server list:
KexAlgorithms +<key_exchange_method1>,<key_exchange_method2>,...
To replace the key exchange methods in the default server list with the methods allowed by Command Central:
KexAlgorithms <key_exchange_method1>,<key_exchange_method2>,...
Where <key_exchange_method1>,<key_exchange_method2>,... is a comma-separated list of the key exchange methods to add to the OpenSSH server list.
<key_exchange_method1>,<key_exchange_method2>,...
KexAlgorithms -<key_exchange_method3>,<key_exchange_method4>,...
Where <key_exchange_method3>,<key_exchange_method4>,... is a comma-separated list of the key exchange methods to remove from the OpenSSH server list.
<key_exchange_method3>,<key_exchange_method4>,...
Save the file and restart OpenSSH:
systemctl restart sshd
To add the “diffie-hellman-group18-sha512” key exchange method, include the following line in the sshd_config* file of the OpenSSH server:
KexAlgorithms +diffie-hellman-group18-sha512
Save the file and restart OpenSSH.
Further read: To leverage Command Central and learn more, check out our Knowledge Base section: Command-Central Knowledge base articles, news, Community help, and support forum discussions Get to know how to initially setup your Command Central: Command Central Initial Set-Up Install, Fix, Replicate - made easy with Command Central
Further read: To leverage Command Central and learn more, check out our Knowledge Base section: Command-Central Knowledge base articles, news, Community help, and support forum discussions
Get to know how to initially setup your Command Central: Command Central Initial Set-Up Install, Fix, Replicate - made easy with Command Central
From cygwin openssh 8.8, ssh-rsa is deprecated, so command central(CC 10.7 fix 6) is not supported for openssh 8.8.
As a work around, configure the ssh server for the deprecated ssh-rsa,ssh-dss algorithms. Add below lines in /etc/sshd_config in cygwin install directory and restart ssh service.
HostKeyAlgorithms +ssh-rsa,ssh-dss PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss
Thanks, Gowri Prasad