Linux IS problem with DP 23.4, RHEL8 and RHEL9

Hello all!

I updated the CM (windows) and IS for Linux (on RHEL8)  to 23.4.

Now i want to add a new RHEL9 client, but i can't ssh into it.

In /var/log/secure on the new client it says:

Nov 28 10:53:42 thinstation sshd[848927]: Unable to negotiate with 172.16.3.143 port 36934: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

The funny thing is, when i ssh between IS and new client in the shell, this works fine.

Is using omniback an own ssh client or own settings?

Thanks!

  • Suggested Answer

    0  

    DP uses /opt/omni/lbin/omnissh.sh script to connect.

    If you look in the script:

    #==============================================================================
    # (c) Copyright 2006, Hewlett-Packard, all rights reserved.
    #
    # PACKAGE HP OpenView OmniBack II
    # FILE omnissh.sh
    # RCS $Header: /install/omnissh.sh $Rev$ $Date:: $:
    # AUTHOR Anbuchezhian C
    #
    # DESCRIPTION
    # Do not edit this script manually.
    # A wrong edit of this file may disrupt the installation through SSH.
    # This script is used by the bmsetup binary.
    #
    #==============================================================================

    if [ "$OB2_ENCRYPT_PVT_KEY" = "1" ]
    then

    #If the private keys are encrypted use the below line
    . $1/.keychain/`hostname`-sh > /dev/null 2>&1; ssh $2 $3

    else

    #If the private keys are NOT encrypted use the below line
    if [ "$4" = "1" ]
    then
    ssh $2 $3
    else
    ssh -tt $2 $3
    fi
    fi

    as you can see DP uses ssh

    Please assign kudos if this solve your issue.

    Kind regards,

    Dionisio Sciascia
    Micro Focus (now OpenText) Professional Services Senior Technical Consultant
    Although I am an OpenText employee, I am speaking for myself and not for OpenText.
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks for the help, but why is it not working with DP but fine in the shell - i don't understand this. Can i add some debugging into this script?

  • 0   in reply to 

    Of course you can add some debugging but at your own risk. Save the original script so that you can revert back when you have completed you investigation. My suggestion is to check which ssh command is used as in the script there is no full path.

    Kind regards

    Dionisio Sciascia
    Micro Focus (now OpenText) Professional Services Senior Technical Consultant
    Although I am an OpenText employee, I am speaking for myself and not for OpenText.
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    i added a "-E logfile" to the command, and what i can see so far, it looks the same as with shell, but the problem is, it connects with user "root" which is prohibited in our case. But when i add a user/pw which would be allowed to sudo for install all i get is 

    [Warning] <xx.xy.zz>  Invalid username or bad password (userx)

    Also there comes nothing new into the ssh log file, which is strange, but i see a new connection with tcpdump.

  • Verified Answer

    +1 in reply to 

    As assumed the problem was on the ssh-server side (= the RHEL9 machine)

    After

    update-crypto-policies --set LEGACY

    the install worked.

    Good because it worked and bad, as for security reasons nobody wants legacy settings.

    There is a reason why the default is something else in RHEL.

    It also does not answer the question why ssh in shell works, but ssh via DP does not.

    It would be great if there can be a solution from DP or at least some remark in the docs.

  • 0   in reply to 

    This is looking serious enough for a support case, I would say. If you log a case and provide me with the ID then I'll keep an eye on it and guide the owner.


    Koen Verbelen

    Although I am an OpenText employee, I am speaking for myself and not for OpenText.
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button.
    You may also be interested in my Data Protector Support Tips listed per category

  • 0   in reply to   

    Actually, it turns out there is an existing change request for this already: OCTCR19Q2105373. So there's no need for a new case. The problem is being handled already.

    Thanks a lot for having reported this on the forum!


    Koen Verbelen

    Although I am an OpenText employee, I am speaking for myself and not for OpenText.
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button.
    You may also be interested in my Data Protector Support Tips listed per category