topic Is this correct cipher for accessing router via ansible in Network Security

What kind of cipher should be used when ssh to a router

interfacedy — Sun, 09 Jan 2022 16:19:29 GMT

Hi Accessing to a router (7200/ios15/192.168.1.16) from Ubuntu via ssh failed as below. It looks like there is no matching cipher. After several tries changing different cipher as below, ssh still cannot access the router. Anyone can share some solutions? Thank you

admin1@DESKTOP-935CSD2:~$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

admin1@DESKTOP-935CSD2:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

admin1@DESKTOP-935CSD2:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CSD2:~$

Re: What kind of cipher should be used when ssh to a router

Rob Ingram — Sun, 09 Jan 2022 16:54:28 GMT

@interfacedy The 7200 is old, so might not actually support the latest and most secure ciphers that ubuntu does. Run "show ip ssh" to determine what the 7200 supports.

Re: What kind of cipher should be used when ssh to a router

balaji.bandi — Sun, 09 Jan 2022 18:27:28 GMT

Try

$ ssh -c diffie-hellman-group1-sha1 admin@192.168.1.16

Legacy support :

https://www.openssh.com/legacy.html

Re: What kind of cipher should be used when ssh to a router

interfacedy — Sun, 09 Jan 2022 20:45:39 GMT

@rob, What model can we can try instead of 7200? but the 7200 has new ios version 15

R7200#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4O7wAiNzdD2WG4Efq+loV5GQVhxsfJCVFjejNG6Y2
3WmEt80EPtLoB8AhcmYuvV/1SPc9z9jQ532D9ri2tO7SACBXtBiTzMYpnp9Y/CZLtnNOWEB5sgEMH2ri
PfyBr5Pksfc4KC0NcUZZnieC5hBRZRZtuLqPDUjjeWDGj8kt6Q==
R7200#
R7200#sh run | i ssh
ip ssh version 2
transport input telnet ssh

admin1@DESKTOP-935CSD2:~$ ssh -c diffie-hellman-group1-sha1 admin@192.168.1.16
Unknown cipher type 'diffie-hellman-group1-sha1'

Re: What kind of cipher should be used when ssh to a router

balaji.bandi — Mon, 10 Jan 2022 01:05:10 GMT

have replied other post try below guide @

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

Is this correct cipher for accessing router via ansible

interfacedy — Sat, 15 Jan 2022 17:20:10 GMT

Hi I am trying to setup ansible at Ubuntu sitting at a PC to send commands to routers/switches, but failed. Then I found the issue is these routers rufuse the client(Ubuntu) connection. Accessing to a router (7200/ver15/192.168.1.16) from Ubuntu via ssh failed as below. It looks like there is no matching cipher. After several changing different cipher as below, ssh still cannot access the router. Anyone can help to resolve the issue? Thank you

admin1@DESKTOP-935CS:~$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

admin1@DESKTOP-935CS:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

admin1@DESKTOP-935CS:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CS:~$

Re: Is this correct cipher for accessing router via ansible

Rob Ingram — Sat, 15 Jan 2022 18:28:24 GMT

@interfacedy the 7200 is so old is does not support the stronger DH algorithms the ubuntu server is attempting to connect with. You can modify the ubuntu server configuration to use DH group 1 or 14 as per the error message. On the ubuntu server modify /etc/ssh/ssh_config file and add the following at the end of the file.

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Save the file, restart the service using service ssh restart and connect again.

Re: What kind of cipher should be used when ssh to a router

interfacedy — Mon, 17 Jan 2022 01:26:54 GMT

Hi Rob, Thanks for your reply. I have had the issue for so long time and hope to resolve it asap. Now let me reply your reply:

You said "the 7200 is so old is does not support the stronger DH ... " The 7200 that I am using is using ios version15.2. It can be used? or change ios to other ios. If its so old, what kind of ios should I use?

Second, there is not ssh_config folder under ssh folder, but there are two similar ones under ssh folder. I got the below response when I added the commands. Is there an issue in Ubuntu?

Re: What kind of cipher should be used when ssh to a router

balaji.bandi — Sat, 15 Jan 2022 23:31:33 GMT

No need to go to cd ssh_config

ssh_config is the file

get in to sudo

follow below steps :

$sudo su ( trype root password)

#cd /etc/ssh

#ls ( you see ssh_config file)

# vi ssh_config ( use arrow to go end of the files)

Press "i" to insert

copy below line as suggested :

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

use mouse to copy and right click to paste (if you using putty)

once its pasted

press ESC key

type :wq (write the file)

restart ssh service - systemctl restart ssh

below guide helo you :

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0/340853

Re: What kind of cipher should be used when ssh to a router

interfacedy — Sun, 16 Jan 2022 04:42:10 GMT

Hi, I used nano instead of vi to edit it since not that familar with vi. I added that commands to ssh_config sucessfully. but as following, it still cannot reach the router. The link that you showed above is very same as my situation, but my case cannot go through. I tried it several times in case some of typo. I think there are two ways that I still can try: one is change Ubuntu to earlir version or change router to a new version. Is this right direction?

admin1@DESKTOP-935CSD2:/etc/ssh$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc admin@192.168.1.16
ssh_dispatch_run_fatal: Connection to 192.168.1.16 port 22: Invalid key length

"Invalid key length" what it mean? How can i correct it?

---------------------- added Cipher:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15
/etc/ssh/ssh_config line 56: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'.

Thanks

Re: What kind of cipher should be used when ssh to a router

balaji.bandi — Sun, 16 Jan 2022 10:06:50 GMT

admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15
/etc/ssh/ssh_config line 56: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'.

it is giving an error on line 56.

post output from Linux

cat /etc/ssh/ssh_config

Re: What kind of cipher should be used when ssh to a router

interfacedy — Sun, 16 Jan 2022 15:09:12 GMT

Please see below:

admin1@DESKTOP-935CSD2:/etc/ssh$ cat /etc/ssh/ssh_config

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Include /etc/ssh/ssh_config.d/*.conf

Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
admin1@DESKTOP-935CSD2:/etc/ssh$

Re: What kind of cipher should be used when ssh to a router

interfacedy — Mon, 17 Jan 2022 00:26:34 GMT

After changing key, finally the issue resolved! Thank you!