cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
42771
Views
11
Helpful
13
Replies

ssh into a switch - no matching key exchange method found

fabioairoldi
Level 1
Level 1

Hello all,

I have inherited an infrastructure with several catalyst 9200 switches. A few of them are unreachable when using ssh from a terminal, such as a linux server or Powershell. The error message is this:

Unable to negotiate with <IP ADDRESS> port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

this is needed beacuse I have a linux server that needs to log into the switches automatically for backup; however, all of them are reachable using SSH from PUTTY, so it's not like ssh protocol isn't up.

This issue is not related to the login used, with the same login credentials I log into every switch using PUTTY, but only some using ssh from linux/powershell.

can you please suggest which parts of the config can I look at to troubleshoot this? I can see that the line vty are all configured the same way and the

ip ssh version 2

line is in every config

 

thanks in advance

F.

1 Accepted Solution

Accepted Solutions

thank you and glad suggestion work for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

13 Replies 13

balaji.bandi
Hall of Fame
Hall of Fame

 

but only some using ssh from linux/powershell.

 

what Linux  ditro you using, you can update your ciphers - follow below guide :

https://www.petenetlive.com/kb/article/0001245

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

This worked for me, thank you.

sudo nano /etc/ssh/ssh_config

[Enter Password]

Locate the line ‘ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sign from the beginning.

Then paste the following on the end; (bottom of the file) then save and try again.

HostkeyAlgorithms ssh-dss,ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

thank you and glad suggestion work for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thanks I fixed my issue 

The server offers "diffie-hellman-group-exchange-sha1" and "diffie-hellman-group14-sha1". These are older algorithms, possibly disabled by default on your SSH client due to security concerns (Mac did this a few years back). Use ssh -vV <IP_ADDRESS> to see detailed debug output, including supported algorithms by both client and server. 

This is a temporary workaround and weakens security. Edit your SSH client configuration to allow the specific algorithms offered by the switch. Add KexAlgorithms=diffie-hellman-group1-sha1 to your SSH configuration.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

I seem to already have this line in my ssh_config file, yet it doesn't work.

As I have two Catalyst 9200 switches (call them SW1 and SW2), the exact same model, SW1 is refusing the connection while SW2 is accepting it... is there any command to modify the ssh config of SW1 rather than the server's?

fabioairoldi_0-1713539534393.png

 

 

Use command show ip ssh all on SW1. This will display the current SSH server configuration, including the supported key exchange methods. You can then enable those on SW2.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

I can see there's differences... can I ask you all if there are commands to enable the missing algorithms and everything else? Are there any security issues in doing so?

 

fabioairoldi_0-1713881559691.png

 

IOS XE  do the below you see the ciphers :

#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,e cdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-s ha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac- sha2-256,hmac-sha2-512,hmac-sha1
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-h ellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-244449417
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

it might just be easier, and save time, to reset the switch to factory defaults. Here is the procedure:

If you do not have access to the CLI of a Cisco Catalyst 9200 switch and need to reset it to factory defaults, you can perform a hardware reset using the mode button on the front panel of the switch. Here's how you can do it:

1. **Power Off the Switch**: Make sure the switch is powered off completely.

2. **Locate the Mode Button**: On the front panel of the switch, locate the Mode button. It is typically recessed and may require a small tool like a paperclip to press.

3. **Press and Hold the Mode Button**: Press and hold down the Mode button.

4. **Power On the Switch**: While continuing to hold down the Mode button, power on the switch.

5. **Wait for LED Indications**: Continue holding down the Mode button until the LED indicators on the front panel start flashing sequentially.

6. **Release the Mode Button**: Once the LED indicators start flashing, release the Mode button.

7. **Wait for Reset**: The switch will now reset to factory defaults. This process may take a few minutes.

8. **Verify Factory Defaults**: Once the reset process is complete, you can verify that the switch has been reset to factory defaults by observing its behavior when it boots up. You should see the switch go through its initial setup process as if it were brand new.

This hardware reset procedure should restore the switch to its factory default configuration, removing all existing configuration settings. Keep in mind that performing a hardware reset will also erase any configuration files stored on the switch, including the startup configuration file.

I am also having this issue and followed these steps but this did not fix the issue. Is there a way to enable the missing algorithms? 

marinogr
Level 1
Level 1

I have had the same problem when upgrade on IOS XE 17.12.03

I have reconfigured ssh server algorithm and now it works:

Example:

ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-gcm aes256-cbc

It support:

(config)#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes128-gcm AES with 128-bit key GCM mode
aes128-gcm@openssh.com AES with 128-bit key GCM openssh mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode
aes256-gcm AES with 256-bit key GCM mode
aes256-gcm@openssh.com AES with 256-bit key GCM openssh mode
chacha20-poly1305@openssh.com chacha20 cipher with poly1305 mac

 

(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)
hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits)

taoza
Level 1
Level 1

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostkeyAlgorithms=+ssh-rsa,ssh-dss