Re: Unable to SSH from XR Router to Ubuntu Server

nonamer15 · ‎04-24-2019

I've got an NCS 55A2 router running 6.5.1. The Ubuntu server is running 18.04.02 LTS. I'm trying to SSH from the router to the server, but it keeps failing. Below are the error messages I'm seeing on both sides.

---router---
ssh_xr[68394]: %SECURITY-SSHD-3-ERR_GENERAL : Error in receiving remote KEXINIT

---server---
Protocol major versions differ for 10.240.236.173 port 40003: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-Cisco-2.0

The strange thing is that I have no problem with SSH from the server to the router. So I don't quite understand why there's an issue from router to server. Below are some show commands from the router.

RP/0/RP0/CPU0:Router1#sh run ssh
Wed Apr 24 13:37:32.987 EDT
ssh client source-interface Loopback0
ssh server v2
ssh server vrf default

RP/0/RP0/CPU0:Router1#sh ssh
Wed Apr 24 13:37:35.005 EDT
SSH version : Cisco-2.0 

id       chan pty     location        state           userid    host                  ver authentication connection type
-------------------------------------------------------------------------------------------------------------------------------
Incoming sessions
10       1    vty0    0/RP0/CPU0      SESSION_OPEN    john   10.240.234.92         v2  password       Command-Line-Interface 

Outgoing sessions

When I SSH to the server from another Cisco device, I have no issues. This was a C3560CX switch, so it runs IOS instead of IOS XR. Does anyone have any ideas as to why this is failing?

Seb Rupik · ‎04-25-2019

Hi there,

It sounds like your ubunutu SSH service is explictly configured to only accept client connections ruinning SSH v2.

Search for the line 'Protocol' in /etc/ssh/sshd_config , I suspect it will look like:

Protocol 2

...change it to:

Protocol 1,2

https://linux.die.net/man/5/sshd_config

...and restart the service:

service ssh restart

Then try connecting again.

cheers,

Seb.

nonamer15 · ‎04-25-2019

It sounds like your ubunutu SSH service is explictly configured to only accept client connections ruinning SSH v2.

While I would agree with the above, I don't see it as a problem. The error message below shows that the client is capable of version 2 as well.

Protocol major versions differ for 10.240.236.173 port 40003: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-Cisco-2.0

v1.99 means it's capable of v1 and v2. Nevertheless, I tried what you suggested. I couldn't find anything in the configuration file in regards to Protocol (commented or uncommented). So I added the line and restarted the service. The server still wouldn't accept v1 connections. I tried from an SSH client on my PC and got the below.

The client has disconnected from the server.  Reason:
Protocol version mismatch. Required protocol version is 1.3 - 1.99.  Received version was 2.0.

I'm not sure if it's possible to configure Ubuntu to allow v1 connections anymore. Even if it's possible, I wouldn't want to do that. The client is capable of v2, so there shouldn't be an issue.

Strangely, I upgraded the router from 6.5.1 to 6.5.3. I had the same issues. However, 6.5.3 allows the SSH client to be configured to only allow v2 connections. 6.5.1 does not allow this configuration setting. After making that change, it's working now. This seems like a bug to me as the client is by default configured to allow both v1 and v2. Changing it to only allow v2 should not resolve the problem, but it has.

RP/0/RP0/CPU0:Router1#sh run ssh
Thu Apr 25 15:53:02.835 UTC
ssh client v2

rogittin · ‎08-07-2019

Following up on this. You have hit an issue where OpenSSH have broken support for clients that advertise support for SSH version 1 and 2 (ssh 1.99). This occurs with OpenSSH 7.6 which is bundled with Ubuntu 18.04.

This is fixed in OpenSSH 7.7+

https://www.openssh.com/txt/release-7.7

Fix support for client that advertise a protocol version
   of "1.99" (indicating that they are prepared to accept both SSHv1 and
   SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
   support.