FAILURE TO CONNECT ANZIO TO RECENT LINUX VERSIONS
May 26, 2023
There are two known issues with recent versions of Anzio Lite and AnzioWin failing to connect via SSH to recent versions of different distributions of Linux. Both issues involve the host side system's SSH program (sshd) requiring a later, more secure version of a security protocol than we have built in to Anzio so far. Following are our known mitigation strategies.
THE FOLLOWING PROCEDURES ASSUME THAT ANZIO LITE OR ANZIOWIN IS AT LEAST VERSION 17.3.
We recommend trying solution 1) and then, if that doesn't work, solution 2).
1) SYSTEM-WIDE CRYPTOGRAPHIC POLICIES (SWCP)
Recent versions of RedHat and other Linuxes have added a layer of "System-wide cryptographic policies" (SWCP) that can place additional restrictions on SSH and other security protocols. The latest versions (17.3) of Anzio Lite and AnzioWin do not qualify for SWCP's DEFAULT mode restrictions, but DO qualify for LEGACY mode.
We advise searching for "update-crypto-policies" on your Linux distro's support forum. For example, we found this page on RedHat:
https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82
If your Linux supports SWCP, the following apparently works, according to our users. In a shell session with root privileges do:
update-crypto-policies --set LEGACY
2) RSA HOST KEY ALGORITHM
In this case the host's default behavior is to disallow use of the RSA protocol in determining the host key algorithm. The problem is that Anzio does not yet support any later protocols of this kind.
To fix this:
Tell the host end of SSH, that is, sshd, that it should support ssh-rsa as a host key algorithm, as follows:
* Get to a Linux shell with root permissions.
* Identify which file controls the behavior of the SSH daemon. This is usually /etc/ssh/sshd_config .
* Make a backup copy of that file, in case something goes wrong.
* Add the one line:
HostkeyAlgorithms +ssh-rsa
to the config file (such as at the very end of the file), then save the file.
* To make sshd adopt those changes, you can
a) reboot the server
OR
b) do the command
service ssh reload
OR
c) find the first-level sshd process-ID (PID) using ps, and do
kill -1 <PID>
where "<PID>" is the process-ID for the initial instance of sshd.
The sshd should now accept a connection from Anzio 17.3. If it does not, please send a copy of the contents of Diagnose:Debug Comunication.
NOTE: We do not plan on making further enhancements to Anzio or its security protocols.