From ce96ea39e0958a627cbc110ab63606cef8475a3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laurent=20P=C3=A9tr=C3=A9?= <laurent.petre@cern.ch>
Date: Tue, 28 Nov 2023 20:00:47 +0100
Subject: [PATCH] Add instruction how to access "old nodes" in P5/CMS

---
 docs/setups-description.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/setups-description.md b/docs/setups-description.md
index f7e0841..a8b026b 100644
--- a/docs/setups-description.md
+++ b/docs/setups-description.md
@@ -143,6 +143,30 @@ an exercise left for the reader.
     xfreerdp <path-to-the-rdp-file> /size:1918x1060 /gu:CERN\\<nice-username> /u:CERN\\<nice-username>
     ```
 
+### Old nodes access
+
+Newer Linux releases (e.g. AlmaLinux 9) disable the old and insecure algorithms
+or protocols by default. While technically a good thing, this newer default
+prevents connecting to older nodes, such as SYx525 CAEN mainframes or non
+patched CTP7. In such cases, you get errors such as:
+
+* `ssh_dispatch_run_fatal: Connection to ww.xx.yy.zz port 22: error in libcrypto`
+* `Unable to negotiate with ww.xx.yy.zz port 22: no matching host key type found. Their offer: ssh-dss`
+
+On the P5/CMS system, a dedicated node allowing weaker algorithms has been
+created: `access-old-nodes`. In order to make use of it, first connect directly
+to the node (using the `ProxyJump` directive is not sufficient; the connection
+must be _initiated_ from that specific node). From there, connect via SSH as
+usual.
+
+Some target may however require additional configuration options. Typically,
+the SYx525 CAEN mainframes require the addition of
+`-oPubkeyAcceptedAlgorithms=+ssh-dss -o HostKeyAlgorithms=+ssh-dss` (can also
+be added in the `.ssh/config` file).
+
+No such node or specific configuration instructions currently exist for other
+setups.
+
 ## Integration setup usage
 
 It is important to realize we are all sharing a set of common equipment and are working towards a common goal.
-- 
GitLab