Troubleshooting
Problem
In some cases, firewalls may have pre-defined rules to make configuring policies easier.
If your firewall has such pre-defined policies, be aware there may be two different protocol rules: SSH and SSHv2. This is due to the ssh protocol versions (protocol versions 1 and 2 respectively). However, both protocol versions utilize port 22, and if one is explicitly 'blocked' while the other is 'allowed', some firewalls may not allow all the necessary packets through to facilitate the ssh handshake between the OpenSSH server and client.
Symptom
When reviewing a packet trace, you may observe an initial connection established, but later packets may not be allowed through the firewall.
Addionally, reviewing OpenSSH debug information, the z/OS OpenSSH server debug trace may show debug data similar to:
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: SSH2_MSG_KEXINIT sent
fatal: FOTS1450 Timeout before authentication for x.x.x.x
While the OpenSSH client may see debug tracing similar to:
debug1: Connecting to xx.xx.xx.com [x.x.x.x] port 22.
debug1: Connection established.
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4
debug1: match: OpenSSH_6.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by x.x.x.x
Couldn't read packet: Connection reset by peer
In both cases (client and server) the debug trace shows the utility waiting for packets. The server is waiting for the SSH2_MSG_KEXINIT and SSH2_MSG_KEX_DH_GEX_REQUEST messages; while the client is waiting for a response to the SSH2_MSG_KEX_DH_GEX_REQUEST (which would be a SSH2_MSG_KEX_DH_GEX_GROUP message from the server).
Resolving The Problem
Allowing both "SSH" and "SSHv2" rules on the firewall should allow all the ssh packets to pass through.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z0000001h5SAAQ","label":"z\/OS->OpenSSH->Configuration (files\/keywords\/keys)"}],"ARM Case Number":"TS004959625","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)"}]
Product Synonym
5655M2301; z/OS OpenSSH; OpenSSH for z/OS
Was this topic helpful?
Document Information
Modified date:
03 September 2021
UID
ibm16412705