SSH from Cisco Switch to an OpenSSH Windows 2019 Server

IS34lyf · ‎10-06-2021

My end goal is to copy a running configuration from a Cisco Switch to a server using SFTP or SCP. Once confirmed working, i will use Kron to automate backup.

I followed the steps on how to configure SCP on the switch:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/sys_mgmt/b_1612_sys_mgmt_9300_cg/secure_copy.html

I installed OpenSSH on windows server 2019

From my PC, i was able to connect to OpenSSH server through WinSCP.

I was getting an error when i connect from Cisco Switch to OpenSSH server.

Since i was going down the rabbit hole troubleshooting, I though i would test if I can simply SSH from the Cisco device to the OpenSSH server. It did not work. I get this error:

Oct 6 18:32:57.316: SSH2 CLIENT 0: Channel open failed, reason = 1752134516
Oct 6 18:32:57.317: SSH CLIENT0: Session disconnected - error 0x00

Now, i looked at what encryption keys Cisco switch supports, found these:

SSHv2 only cipher list:
aes128-cbc AES 128 bits
aes128-ctr AES-CTR 128 bits
aes192-cbc AES 192 bits
aes192-ctr AES-CTR 192 bits
aes256-cbc AES 256 bits
aes256-ctr AES-CTR 256 bits

I also looked at OpenSSH docs and it supports AES256-CTR by default. So i tried, but same error.

OpenSSH server is behind a firewall, firewall monitoring shows traffic allowed from Cisco Switch to OpenSSH.

I also temporarily disabled windows firewall. No go.

Seems like a very easy concept, but I couldnt get it to work. Any help is greatly appreciated.

Thank you in advance!

Attached is the debug ip ssh logs.

marce1000 · ‎10-06-2021

- Check the logs of the OpenSSH server (Windows) , and look for anomalies if any (if needed turn on debugging)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

IS34lyf · ‎10-07-2021

I looked at the event viewer specifically for OpenSSH and the only thing related event that i saw was the OpenSSH server accepted the SSHv2 password from the switch.

sshd: Accepted password for <username> from <switch ip address> port 17790 ssh2

Sergey Lisitsin · ‎10-07-2021

Hello,

If you are using version of OpenSSH before 7.0, then try to find and comment out the value

notify_hostkeys()

call in sshd.c file on the server.

IS34lyf · ‎10-07-2021

I assume I'm using a new version?

Oct 7 14:00:10.629: SSH CLIENT0: protocol version id is - SSH-2.0-OpenSSH_for_Windows_7.7
Oct 7 14:00:10.629: SSH CLIENT0: sent protocol version id SSH-2.0-Cisco-1.25
Oct 7 14:00:10.630: SSH2 CLIENT 0: kexinit sent: kex algo = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Oct 7 14:00:10.630: SSH2 CLIENT 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr
Oct 7 14:00:10.630: SSH2 CLIENT 0: kexinit sent: mac algo = hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96

Since there is a new version of OpenSSH, i might try that first. If you have other solutions please let me know!

noidea99 · ‎01-12-2022

hi,

Did you get this working in the end as I'm facing the same issues however I'm trying without keys to see if that simplifies the solution...

IS34lyf · ‎01-12-2022

I did not get it to work with OpenSSH. I end up using a different program (Bitvise SSH)

Then i used the archive command to copy the config file with scp automatically.

noidea99 · ‎01-20-2022

if you install OpenSSH from Server 2019 using the features install, it only installs version 7.5.
You have to go and manually download a later version from https://github.com/PowerShell/Win32-OpenSSH/releases/tag/V8.6.0.0p1-Beta

I've now managed to get it to work with password and ciphers but I've not disabled password to force ciphers only

This was helpful as well
https://issueexplorer.com/issue/PowerShell/Win32-OpenSSH/1788

If you have the below line in sshd_config then you are good.
Ciphers aes128-cbc,3des-cbc

was placing the Ciphers on a new line underneath the Match Group and when starting sshd.exe -ddd it was making it clear that was the issue. So placed that block of configuration elsewhere and now the service starts fine and the device connects and uploads backups with no error.