Info:
When having Venafi connect older Linux systems we may see an error indicating connection failures:
Failed to conect to the host
This issue may be caused by the target system running SSHD with ssh-dss keys. The Device logs in Venafi would show something similar to this:
The SSH library failed to connect to ********* on port 22, with the Connection Result 9: Failed to negotiate a transport component [ecdsa-sha2-nistp384] [ssh-dss].
While not recommended, we can enable the use of DSA keys while provisioning.
More Info:
To enable ssh-dss, create a string key: "EnableSSHDSS" and set the value to "1" under the "HKLM\Software\Venafi\Platform" node:
This would need to be added on all Venafi servers iniotilalizing the SSH connection and it will require a restart of the Venafi Trust Protection Platform service to take effect.
The answer at https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys/112818 provides a good background on why DSA is deprecated.
Please consider switching your servers to newer, secure, key algorithms.
Comments