Unable to ssh into the router

vitumbiko nkhwazi · ‎07-29-2025

Hello.

I have just configured a router and when i try to ssh into it am getting the below error:

ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: incorrect signature

What could be the problem? this is the output from the " show ip ssh" command:

DRC_Branch_RTR#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): CISCO_IDEVID_SUDI
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0wbK7VRcC6wiSvH544oVka/QXoUHpZ5ebMG93L6QA
EhZ7JKfpS0+vSrs9re2cUKaHFGPt6dN8YK7sVowPEb1IEHVETb9vb1XaN5fabMNVbNP+eIruYlP7gj8+
NYKbNE8bwYCYUpU43nnWFI5gm+VncDWL8bcSP9AQunMI89FFguCNs5vMrewaazLqHcvYO0ngohwxaO2W
QUNFbaAmxQVFam+CMLysDnu7u4DWeuFmUudcihcK4K7hNIbpxIy7vR1BSKqC9cPj9FDS2IsfKH34t62X
jN9XajOIyP26jGoi2Z2RI5yRmPkMu3wWiAOdoMWr9ZWbJAXnSQbtYH12f9P9

Enes Simnica · ‎07-29-2025

@vitumbiko nkhwazi That error usually means ur SSH client doesn’t accept the key type or the router is missing RSA keys.

check if RSA keys exist with show crypto key mypubkey rsa.
If not, generate them using crypto key gene rsa

Also, newer SSH clients disable ssh-rsa by default. You can force it by adding -oHostKeyAlgorithms=+ssh-rsa to ur SSH command.

and why not, check uur vty lines have transport input ssh and log local.

-Enes

more Cisco?!
more Gym?!

vitumbiko nkhwazi · ‎07-29-2025

@Enes Simnica the RSA key exist, see the output below:

DRC_Branch_RTR#sh crypto key mypubkey rsa
% Key pair was generated at: 17:35:18 CAT Jul 28 2025
Key name: CISCO_IDEVID_SUDI
Key type: RSA KEYS
On Cryptographic Device: act2 (label=act2, key index=24)
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B4C1B2 BB551702 EB0892BC 7E78E285 646BF417 A141E967 979B306F 772FA400
12167B24 A7E94B4F AF4ABB3D ADED9C50 A6871463 EDE9D37C 60AEEC56 8C0F11BD
48107544 4DBF6F6F 55DA3797 DA6CC355 6CD3FE78 8AEE6253 FB823F3E 35829B34
4F1BC180 98529538 DE79D614 8E609BE5 6770358B F1B7123F D010BA73 08F3D145
82E08DB3 9BCCADEC 1A6B32EA 1DCBD83B 49E0A21C 3168ED96 4143456D A026C505
456A6F82 30BCAC0E 7BBBBB80 D67AE166 52E75C8A 170AE0AE E13486E9 C48CBBBD
1D4148AA 82F5C3E3 F450D2D8 8B1F287D F8B7AD97 8CDF576A 3388C8FD BA8C6A22
D99D9123 9C9198F9 0CBB7C16 88039DA0 C5ABF595 9B2405E7 4906ED60 7D767FD3
FD020301 0001
% Key pair was generated at: 17:35:18 CAT Jul 28 2025
Key name: CISCO_IDEVID_SUDI.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AC3B85 6064149C
4D3A7049 1C4125B1 C662012E ABB02ADE 5A70D495 82321647 34FAEF79 00673B15
BEDA9B40 BB6E9CD8 B22FB8AE 73502191 E942A971 59647255 A04D257A 7463148A
63BBDB1F 090F18DF 91D23482 2AE3B7E2 3BD9CAA4 44578C07 C7020301 0001
% Key pair was generated at: 14:54:25 CAT Jul 29 2025
Key name: DRC_Branch_RTR.REDBRIGADE.local
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00C938FE 85E213C2 F6671B3F 71A01504 77ABECBD 0E1B84F9 C9E943EB 423887F3
6D686B84 38D9E14B 421FF019 3FEA918C 23FCC207 D7099ACF 8BADB3A7 C842F527
D64CCC71 2A863E76 9D3A2C04 4B31E575 7D80EAA2 96901E66 31F7EFD4 5AA3A297
144F0AD1 AB396140 A85E7C40 51EDB17C 4AE7B0FD 59FBD77E 5C3A364C 4D413865
C4215717 C6F0AD9C 5A5E4F1E D64EC58C 27616626 F96C7870 9DCCE04C BF1CAE3B
1369B988 6ADC1550 77B0824F 0022720E 0EB3BD5C 6B272C19 00088CB4 3FB11DA6
1AB86CD4 3C821591 4DCF5A64 53FDE6AA E42FEB55 19E9783B 8E398D18 850CF3EE
2072B1DB 687A58D3 CC910854 A0E6455F 23B65610 83511764 24F6B2A4 0FE75D3C
924FFD60 BB8ED555 2BCA5F1B E6316178 171E125E 81A04C6B 769760C3 42B8A53E
71AC1557 163DF5F2 DF45288F AD546DBF 261EDFBA BAF3EC5E 80E856A7 185FCBD7
AB543923 B4F2FF41 6565E3AB 4DE42E06 1C012800 30CB3C8E B80106D4 07CA37E4
F46E273F 13516B98 1A05904B 7594C77D 412C8076 CC3D7A16 DB5D72D6 70049ADE
BD406B22 E16EFF0B A75E928F 0F2E2C22 BD2B66A3 282BFAA2 8580648B CBE3DA3F
E4E7970C A90653E4 D548E1DF 08DA5CBC C25BF24F 22248464 9764FD81 62E90181
1E1A8EA9 17EFB5F9 6B6367C6 17C2B33C 4F0BF7B3 08E10F6E 4CCA966C CCCCAF9A
E99CB1B1 49553B6A 705A44DA 72087F7F 8654BA21 BC030F56 ECC8B990 87AD9779
11020301 0001

M02@rt37 · ‎07-29-2025

Hello @vitumbiko nkhwazi

Thanks for the output. Your router is trying to use a certificate-based x509v3 key (SUDI) that your SSH client does not trust or support...

The easiest way to fix it, it's to generate a standard RSA key with crypto key generate rsa command, which will fall back to ssh-rsa.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

vitumbiko nkhwazi · ‎07-29-2025

The RSA key already exists, is there a way to disable the certificate-based x509v3(SUDI)?

M02@rt37 · ‎07-29-2025

@vitumbiko nkhwazi

no crypto pki trustpoint SUDI

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎07-29-2025

debug ip ssh <<<- run this in router and try access via ssh

MHM

vitumbiko nkhwazi · ‎07-29-2025

*Jul 29 14:58:46.154: SSH1: starting SSH control process
*Jul 29 14:58:46.154: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
*Jul 29 14:58:46.154: SSH1: protocol version id is - SSH-2.0-OpenSSH_8.0
*Jul 29 14:58:46.154: SSH2 1: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
*Jul 29 14:58:46.154: SSH2 1: kexinit sent: hostkey algo = ssh-rsa
*Jul 29 14:58:46.154: SSH2 1: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
*Jul 29 14:58:46.154: SSH2 1: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
*Jul 29 14:58:46.154: SSH2 1: send:packet of length 368 (length also includes padlen of 5)
*Jul 29 14:58:46.154: SSH2 1: SSH2_MSG_KEXINIT sent
*Jul 29 14:58:46.161: SSH2 1: ssh_receive: 1392 bytes received
*Jul 29 14:58:46.161: SSH2 1: input: total packet length of 1392 bytes
*Jul 29 14:58:46.161: SSH2 1: partial packet length(block size)8 bytes,needed 1384 bytes,
maclen 0
*Jul 29 14:58:46.161: SSH2 1: input: padlength 8 bytes
*Jul 29 14:58:46.161: SSH2 1: SSH2_MSG_KEXINIT received
*Jul 29 14:58:46.161: SSH2 1: kex: client->server enc:aes256-ctr mac:hmac-sha1
*Jul 29 14:58:46.161: SSH2 1: kex: server->client enc:aes256-ctr mac:hmac-sha1
*Jul 29 14:58:46.161: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
*Jul 29 14:58:46.167: SSH2 1: ssh_receive: 24 bytes received
*Jul 29 14:58:46.167: SSH2 1: input: total packet length of 24 bytes
*Jul 29 14:58:46.167: SSH2 1: partial packet length(block size)8 bytes,needed 16 bytes,
maclen 0
*Jul 29 14:58:46.167: SSH2 1: input: padlength 6 bytes
*Jul 29 14:58:46.167: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
*Jul 29 14:58:46.167: SSH2 1: Range sent by client is - 2048 < 4096 < 8192
*Jul 29 14:58:46.167: SSH2 1: Modulus size established : 4096 bits
*Jul 29 14:58:46.167: SSH2 1: send:packet of length 536 (length also includes padlen of
*Jul 29 14:58:46.256: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
*Jul 29 14:58:46.256: SSH2 1: ssh_receive: 528 bytes received
*Jul 29 14:58:46.256: SSH2 1: input: total packet length of 528 bytes
*Jul 29 14:58:46.256: SSH2 1: partial packet length(block size)8 bytes,needed 520 bytes,
maclen 0
*Jul 29 14:58:46.256: SSH2 1: input: padlength 6 bytes
*Jul 29 14:58:46.256: SSH2 1: SSH2_MSG_KEXDH_INIT received
*Jul 29 14:58:46.613: SSH2 1: signature length 527
*Jul 29 14:58:46.613: SSH2 1: send:packet of length 1600 (length also includes padlen of
*Jul 29 14:58:46.613: SSH2: kex_derive_keys complete
*Jul 29 14:58:46.613: SSH2 1: send:packet of length 16 (length also includes padlen of 10)
*Jul 29 14:58:46.613: SSH2 1: newkeys: mode 1
*Jul 29 14:58:46.614: SSH2 1: SSH2_MSG_NEWKEYS sent
*Jul 29 14:58:46.614: SSH2 1: waiting for SSH2_MSG_NEWKEYS
*Jul 29 14:58:46.620: SSH2 1: SSH ERROR closing the connection
*Jul 29 14:58:46.620: SSH2 1: send:packet of length 80 (length also includes padlen of 15)
*Jul 29 14:58:46.620: SSH2 1: computed MAC for sequence no.#4 type 1
*Jul 29 2025 16:58:46 CAT: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 10.50.240.1
*Jul 29 14:58:46.720: SSH1: Session disconnected - error 0x00

MHM Cisco World · ‎07-29-2025

ip ssh rsa keypair-name <hostname>

Try add this and check

MHM

Jens Albrecht · ‎07-29-2025

Hello @vitumbiko nkhwazi,

based on your output you are running an IOS-based router.

On these routers the default setting is to prefer Certificate-based authentication for SSH connections.

You can change the default to only allow Publickey-based authentication with the following command:

ip ssh server algorithm hostkey ssh-rsa

This command allows you to use the RSA key you created and disables the Certificate-based authentication for SSH.

HTH!