Re: Problems with SCP Log Subscription to RHEL 9 Server

alex.dersch · ‎08-28-2023

Hi, I am having problems with pushing log files to a Server running RHEL 9. In the ssh log on the server i see this here

fatal: mm_answer_sign: sign: error in libcrypto

I believe the OpenSSH Version from the ESA server (OpenSSH_7.3) is not compatible with the Server SSH-2.0-OpenSSH_8.7. I have the possibility to modify the config on the server for the ESA server by configuring the settings in .ssh/config file. I did this already by setting the HostKeyAlgorithms, PubkeyAcceptedKeyTypes, PubkeyAcceptedAlgorithms. This helped already but I still need the KexAlgorithms and MACs the ESA server using.

Host 10.1.64.11
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
KexAlgorithms
MACs

Does anybody know what those settings should be?

thanks

Alex

balaji.bandi · ‎08-28-2023

check this may help you :

https://github.com/openssl/openssl/issues/18420

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alex.dersch · ‎08-28-2023

Hi BB,

thanks for the link. I've read this before. I am worry a bit enabling SHA1 system wide on the server since SHA1 was officially declared insecure by the National Institute of Standards and Technology (NIST) in 2011. I also don't understand why Cisco I still running OpenSSL Version 7, which has a lot of vulnerabilities, on a system like ESA.

I would prefer to configure it host based rather than system wide.

Best regards

Alex

balaji.bandi · ‎08-29-2023

then you seen uplift your certs to meet the requirement

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help