topic Re: CLI-Analyser needs ciphers added to fix this symptom? in Cisco CLI Analyzer

CLI-Analyser needs ciphers added to fix this symptom?

MicJameson1 — Thu, 09 Mar 2023 22:19:18 GMT

Error shown in logs of ISR4321-K9, Version 16.06.04, when trying to use CLI-Analyser to SSH into it ...

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
--

ISR4321-K9#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 1
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-(!! obfuscated !!)
ssh-rsa (!! obfuscated !!)

Is this because CLI-analyzer is missing ciphers?

Must I update from SSH 1.99 to SSH 2.0 ?
Please fix this ASAP? May you please inform me here that this is fixed?

Thank you!

Re: CLI-Analyser needs ciphers added to fix this symptom?

balaji.bandi — Thu, 09 Mar 2023 22:47:16 GMT

as i suggested another post - you have a cipher mismatch

read this log correctly :

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

EDIT: IOS XE 16.6 is an old code try to upgrade to 17.X

Re: CLI-Analyser needs ciphers added to fix this symptom?

Leo Laohoo — Thu, 09 Mar 2023 22:49:39 GMT

Wait .... The error message means the SSH client is not Deffie-Hellman but the router is expecting DH.

This is not a code issue, this is an issue with the SSH client-side.

Re: CLI-Analyser needs ciphers added to fix this symptom?

balaji.bandi — Fri, 10 Mar 2023 11:50:11 GMT

This is not a code issue, this is an issue with the SSH client-side.

I was not suggesting to upgrade IOS due to this issue, since i saw old IOS, so suggesting to upgrade to latest.

Re: CLI-Analyser needs ciphers added to fix this symptom?

MicJameson1 — Fri, 10 Mar 2023 15:54:37 GMT

It surprises me that a mainstream commercial SSH client would have this issue.

Shouldn't a commercial SSH client just hold every reasonable cypher preference a mainstream box might require, such as diffie-hellman-group-exchange-sha1, and diffie-hellman-group14-sha1 ?

Re: CLI-Analyser needs ciphers added to fix this symptom?

Leo Laohoo — Fri, 10 Mar 2023 23:42:47 GMT

@MicJameson1 wrote:
It surprises me that a mainstream commercial SSH client would have this issue.

I am using SecureCRT and DH is disabled by default. If I see a message like that, I usually just put a tick in the SSH option for DH and it starts working.

Re: CLI-Analyser needs ciphers added to fix this symptom?

balaji.bandi — Sat, 11 Mar 2023 10:45:50 GMT

Due to security reasons some of the old ciphers fade (one side people asking to move to the next level of security, once asking legacy cipher in the network ) - so one needs to make a decision on what needs to be used for their use case.

As I mentioned earlier in another post - the CLI analyzer stopped releasing a new version, and it ended in 2021

I have also suggested some steps they recommend to ignore the options in the CLI analyser - have you tried them?

(Note : I do not remember, there is some where option you can do, but try to download cli analyser - giving me error - will try again and let you know if I come across any findings)