topic Re: Scripting SSH connection in Endpoint Security

Scripting SSH connection

Brinay581 — Mon, 06 Jul 2020 14:38:36 GMT

Hi,

I'm trying to set up a script whereby I can access one of our switches using SSH. I'm currently trying this from the CLI of my PC but getting the following:

C:\Users\<user>>ssh <switch> -l <username> -oHostKeyAlgorithms=+ssh-dss,ssh-rsa -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -v
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Connecting to <switch> port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<user>/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\<username>/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to <switch>:22 as '<username>'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
ssh_dispatch_run_fatal: Connection to <switch> port 22: Invalid key length

Does anyone have any idea why this isn't working ? Thanks.

Re: Scripting SSH connection

balaji.bandi — Mon, 06 Jul 2020 21:29:28 GMT

what does the outcome if you try the simple command :

ssh -c 3des-cbc user@device-ip

Re: Scripting SSH connection

mljevakovic — Tue, 07 Jul 2020 06:08:04 GMT

ssh -c

-c is a option which selects the cipher specification for encrypting the session. cipher_spec is a comma-separated list of ciphers listed in order of preference (in your case you use 3des-cbc)

Re: Scripting SSH connection

Brinay581 — Tue, 07 Jul 2020 08:04:50 GMT

Hi,

Thanks for this but it just came back with "Unable to negotiate with <ip> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1".

I tried adding -oKexAlgorithms=+diffie-hellman-group1-sha1 but that came back with the original message "ssh_dispatch_run_fatal: Connection to <ip> port22: Invalid key length.

SSH is working as such as I can connect to this switch with Putty.

Re: Scripting SSH connection

mljevakovic — Tue, 07 Jul 2020 08:13:55 GMT

try this command on switch "ip ssh client algorithm encryption 3des-cbc"
more on the link
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html

Re: Scripting SSH connection

balaji.bandi — Tue, 07 Jul 2020 16:43:17 GMT

what ssh program you using to connect. can you post ssh -v ?

Re: Scripting SSH connection

mljevakovic — Wed, 08 Jul 2020 06:12:16 GMT

putty 0.73

does the provided command help you. You should configure it in config mode

Re: Scripting SSH connection

Brinay581 — Wed, 08 Jul 2020 09:37:42 GMT

Hi - the "-v" output is the same as the original at the beginning of the post. Thanks.

Re: Scripting SSH connection

Brinay581 — Wed, 08 Jul 2020 09:39:46 GMT

Hi - I'm using SSH from the command line of Windows. Thanks.