Re: Lubuntu 18.04 can't SSH to Cisco Router: no matching key exchange method found. Their offer: dif...

write_erase · ‎03-31-2020

I'm not sure if this problem caused by Lubuntu or Cisco Router side.

Lubuntu = 192.168.1.100
Cisco Router = 192.168.1.1

SSH from Lubuntu to Cisco Router

user@linux:~$ ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
user@linux:~$

user@linux:~$ ssh admin@192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$

This is on Cisco Router side

R1#
*Mar 1 01:41:19.631: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
R1#

SSH Verbose

user@linux:~$ ssh 192.168.1.1 -l admin -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 192.168.1.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$

More Cisco Log

R1(config)#ip ssh logging events
R1(config)#
R1(config)#
*Mar 1 01:56:21.723: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
R1(config)#
*Mar 1 01:56:21.723: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.1.100 (tty = 0) using crypto cipher '', hmac '' Failed
*Mar 1 01:56:21.723: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.1.100 (tty = 0) for user '' using crypto cipher '', hmac '' closed
R1(config)#

What is the problem here and how to fix it?

marce1000 · ‎03-31-2020

- Following a link like mentioned below you will notice that this is a weak cipher

diffie-hellman-group1-sha1

; you may want to upgrade the router to a more recent software version and check if the problem persists.

https://www.openssh.com/legacy.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Seb Rupik · ‎03-31-2020

Hi there,

@marce1000 suggestion is the correct one moving forward, but you can force the SSH client to connect by specifying the crypto parameters:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-gcm -l admin 192.168.1.1

cheers,

Seb.

Lubuntu 18.04 can't SSH to Cisco Router: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1