cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2357
Views
5
Helpful
6
Replies

CML : no matching key exchange method found

networkinggeek
Level 1
Level 1

I am trying to logging from ubuntu a Cisco IOS router, but ssh is failing.  Please advise!!!

 

I have tried below, I tried updating sshd file in ubuntu with old algorithm, restarting, rekeying crypto but all of that still returns same error.

ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-ctr cisco@x.x.x.x
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-ctr x.x.x.x 

cisco@inserthostnamehere:~$ ssh cisco@192.168.3.1
Unable to negotiate with 192.168.3.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

R1#sh running-config  all | sec algorithm
ip cef load-sharing algorithm universal B7CDABD2
ipv6 cef load-sharing algorithm universal B7CDABD2
ip http digest algorithm md5
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
ip ssh server algorithm authentication publickey keyboard password
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa
ip ssh client algorithm mac hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

 

 

R1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): R1.CML
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC6Cue9eiHySDZJb8H1aqsp/R/4XGmIHZ/fdF0SIXwq
C/LC1V9CGTlMEUItwFamSfyj3Xm0lweERKiOPme1pS2nyW5OARGPiUIlRPQXLhgDgnhrxO2nBuxh5vxM
YFwEYiZOCTqFvm4R0s5olNkd0+DO3Q7OMpjXhi/4Obr8IghiVw==
R1#
6 Replies 6

Karlo Bobiles - Cisco
Cisco Employee
Cisco Employee

Hello networkinggeek,

 

Try using the following command:

 

ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 -c aes256-ctr -l <username> x.x.x.x

 

 

which is a bit different from what you've entered as the key exchange method offered in the list is different:

 

ssh.png

 

ssh entry.png

 

Also, for CML-Personal support, you can actually open  a thread on the Cisco Learning Network here: https://learningnetwork.cisco.com/s/topic/0TO3i00000094ZjGAI/cisco-modeling-labs-personal-community


Cheers,

Karlo Bobiles

Cisco Learning Network

 

This may work when explicitly specified but still not convenient at all. I can see multiple complaints so why do you guys not have permanent fix since one year? Also I am trying to use python/ or Ansible to access the device, and again that fails, How to overcome that from script please explain?

Hey networkinggeek,

 

Totally understand, at least there's a documented workaround.

 

Not a CML issue per se, but definitely something I can pass along to the appropriate (node image) team for future enhancements and fixes.

 

As for your Python/Ansible access issues, best to open a thread on the proper support community and include as much info about what you're trying to run (scripts, python and ansible versions, logs, etc). Once that's uploaded, I can ping one of the CML Developers or maybe someone from DevNet for assistance.

 

Cheers,

Karlo Bobiles

Cisco Learning Network

Even though its a (node image) team issue, but its all part of CML?  I have seen about 5+ threads open on exact same issue and this need to be addressed at priority, if during half of my yearly subscription, I cannot do what I was hoping to learn then whats the point of selling CML. 

 

I have raised another request on CLN, since I get same error when Ansible script tries to ssh, please escalate to your developers. 

 

https://learningnetwork.cisco.com/s/question/0D56e0000BzojQ3CQI/host-key-mismatch-no-matching-key-exchange-method-found

Hello networkinggeek,

 

Thanks for opening a thread on the Cisco Learning Network. Let's continue troubleshooting your Ansible/Python issue there instead.

As for "Even though its a (node image) team issue, but its all part of CML?"

CML doesn’t control the underlying OSes any more than ESXi would control the VMs that run under it. When a node’s behavior changes we can capture that as an issue and let the community know.

For the supported features, the VMs in CML give you the same behavior (including the same bugs!) as you'd see with the corresponding versions of the network operating systems running on real routers and switches. IOSv is the older, monolithic IOS 15.x operating system. You'd see this same problem if you were trying to SSH from an Ubuntu server to a Catalyst 3560 switch that's running "classic IOS".

 

Thank you,

Karlo Bobiles

Cisco Learning Network

zachartl
Level 1
Level 1

Have the latest CML images discontinued the use of SHA-1 DH Key Exchanges? Thank you