Symptoms

Specific error messages seen vary widely based on the specific third-party SSH tool. For example, PuTTY or other SSH connection methods such as Windows Secure Copy Protocol (WinSCP) or other programming functions.The specific failure is usually some variation of things like, but not limited to: Generic algorithm or cryptographic error for SSH.Cannot negotiate or find wanted algorithms or other cryptography. Specific errors also vary across third-party software versions. Due to the scale of possible SSH tools, Dell does not keep a list of all possible errors. If your tools fail to connect to SSH after a 9.4 upgrade is confirmed as complete, the easiest way to test is to download the latest version of a basic SSH tool such as PuTTY or use existing SSH terminal functionality if present on your operating system, such as Windows, macOS, Linux, or UNIX (If you use OS-level CLI tools, ensure they are also current and updated properly).If your "latest and greatest" tool can connect to SSH successfully, but your older, or not yet updated tools cannot connect due to errors like those, this issue is affecting you.Technical Support confirmation that this issue affects you cannot be obtained without providing client-side logs from your local systems for review. If your tool does not present clear errors and is from a commercial vendor, and you are not sure how or where to get the SSH-related logs from that tool, Dell does not keep support data on such third-party vendors. Contact your vendor directly for help to find such client-side logs. If it is an internal corporate or organization tool, or similarly proprietary, you must engage that team on your side.

Cause

This has a simple cause. As is best practice, always review the Release Notes end to end with stakeholders working on and maintaining your storage solution before upgrade, if you must adjust any downstream local systems due to inbound changes.The specific details here are found in the OneFS 9.4 release notes for OneFS/Isilon: OneFS 9.4.0.0 Documentation - PowerScale Info Hub OneFS 9.4 Release Notes Pages 4-5 of the 9.4 Release Notes cover the topic.Certain less-secure or insecure cryptographic algorithms were deprecated and removed from our product. Outdated third-party SSH client tools may fail to connect until updated. This is due to older SSH client tools trying to engage the SSH service on the OneFS side and trying to negotiate algorithms that are no longer present.This always fails, as one side (the client side) is trying to use something no longer available (on the storage cluster side). This client-side failure to connect by SSH would happen should that client tool attempt to connect to any network host for SSH, if that target system does not have the algorithms it wants to use. Over time, if your SSH client tools are not routinely updated, you eventually fail to connect to more systems as those systems also update their security. The easiest remediation on an ongoing basis is to always keep SSH client tools up to date.Periodic security enhancements like this are standard on virtually all related technologies industry-wide in response to ongoing security reviews and challenges. A previous incident of PowerScale cryptography upgrades requiring adjustments to client-side tools involved different algorithms and was detailed in PowerScale: SSH Key Exchange Algorithm is flagged by security vulnerability scanners: diffie-hellman-group1-sha1.

Resolution

Upgrade your SSH client tools:The recommended solution is to update any problematic SSH client tools to accommodate revised cryptographic algorithm requirements on the target host side (the PowerScale cluster). This is the safest option for your security.If you have validated your toolset upgrade and it still fails to connect, make certain to test that same SSH connection on your network first as recommended with another modern, latest-version third-party tool like PuTTY (even if you have to do this test again) before contacting PowerScale Support. Having that comparison is important for troubleshooting.You must also obtain full unredacted SSH client logs showing failures and any offered and available algorithms. Support must know what both sides are communicating to each other in full.If your tool does not present clear errors and is from a commercial vendor, and you are not sure how or where to get SSH-related logs from that tool, Dell does not keep support data on such third-party vendors, there are too many for us to track that. Contact your vendor or IT staff directly for help with finding such "client side" logs if needed. If it is an internal corporate or organization tool, or similarly proprietary, you likely must engage that team on your side.If your staff or vendor is presently unable to update your tools:If your technical staff is unable to do this, the technical possibility exists for you to modify, on your own, the relevant SSH configurations on the PowerScale OneFS side to "reenable" outdated, less secure, or problematic algorithms. Review the 9.4 Release Notes for which algorithm is no longer available that your client tool is unable to find and expects.Using the same methods detailed in PowerScale: SSH Key Exchange Algorithm is flagged by security vulnerability scanners: diffie-hellman-group1-sha1 you can modify the OneFS settings to make OneFS accommodate outdated SSH client software. This alternative approach is not recommended except in situations like time-limited emergencies where an immediate connection for a specific given tool is required for an established workflow, and that your SSH client systems still be updated as soon as possible for your own safety. If you use this approach to "get in now," you are encouraged to go back into the system after your SSH client tools are repaired and upgraded, to disable the weaker algorithms you enabled. Dell Support staff cannot weaken the security profile of a PowerScale cluster like this or help with that ourselves. Such adjustments must be run by your storage administration staff that manages your PowerScale clusters. Dell Support is also unable to assist on any updates of third-party client SSH tools on your local computers and servers, such as PuTTY, WinSCP, native operating system terminal-type tools, or any third-party vendor software or similar functionality.The ultimate recommended course of action for your long-term security is that your staff update your SSH client tools to comply with revised modern SSH algorithm guidance.

Support Cases