cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3683
Views
5
Helpful
7
Replies

PI3.2 - Nexus5k SSH Cipher missmatch

STEFFEN NEUSER
Level 4
Level 4

Hello,

How can you make prime-infra ssh speaking with NX5K switches using cbr in place of cbc mode in their ciphers?

Cisco Nexus 5672UP Switch, NXOS7.1, SSH v2 enabled

No matching ciphers found: Client (x.y.z.a)supported ciphers: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc .Server supported ciphers :aes128-ctr,aes192-ctr,aes256-ctr - dcos_sshd[2751]

thx for hints in advance,

Steffen

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Newer NX-OS has disabled the older cbc encryption types.

That can be reverted if you accept the the less secure encryption.

The procedure is as described in this tech note:

http://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/200663-Unable-to-SSH-into-Nexus-9K-fatal.html

Thx for the NX-solution.

Is there also a solution to can fix it at Prime Infrastructure?

 

There's no supported solution as far as I know from the PI side.

I'm not quite sure why PI isn't using the available ciphers. It may be worth a TAC case.

I checked what they are by going into the shell of PI and looking at the ssh config. It's RHEL under the covers (more or less) and, as you can see in the output below, the ssh client should be able to offer the ctr ciphers.

ade # pwd
/etc/ssh
ade # sudo cat ./sshd_config | grep Ciphers
# Ciphers and keying
Ciphers aes256-cbc,aes256-ctr,aes192-cbc,aes192-ctr,aes128-cbc,aes128-ctr,3des-cbc
ade #

I also checked what I connect as when just manually ssh-ing from the PI 3.2 cli. I see it as an aes-128 ctr session. Perhaps PI has some hard-coded bits telling it to use only ctr mode?

OPTIMUS/admin# ssh 10.12.254.254 mrhoads
The authenticity of host '10.12.254.254 (10.12.254.254)' can't be established.
RSA key fingerprint is SHA256:JH1Ri3/xJ0//q95/MDez5oK7y8V1JlRpsYFtA9YWL0U.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.12.254.254' (RSA) to the list of known hosts.

<banner removed>

password :

DIST-01#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtLz777cCy7BQCrM0xgCmmygFxHBnSSO7BqgDHXf31
odu1DSPRVhM0iDk4kBk/HQGihH+xBiZ+76sxtkFo3muYnWuc+8Vw3jtvW5IiuMb8CGZE6vb0SnIEE1OM
8SzXrX479Ows8eYKCWVd4FUECKiQHTJv3YnUcLrJmlgVkqv0Gw==
DIST-01#sh ss
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-ctr hmac-sha1 Session started mrhoads
0 2.0 OUT aes128-ctr hmac-sha1 Session started mrhoads
%No SSHv1 server connections running.
DIST-01#

sshd_config is allready configured by default (v3.2) to use the ctr and cbc ciphers. But this is just ssh-server on PI related and so for SWIM call back of XR systems only related. 

But in case you edit the ssh client configuration file ssh_config, you can add the missing ciphers. But this has no influance at PI. Mayby PI is using a Java lib for SSH client functionality in place of the system ssh client binary.

There is a TAC-case opened allready.

 

OK - please let us know what the TAC comes up with.

I spoke with the one who administer the NX5K switches: The mentioned NX9K procedure should'nt be applicabable for NX5K switches...  

 

Hi everyone, did you find any solution Prime or Nexus 5k side?