cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6278
Views
0
Helpful
12
Replies

What kind of cipher should be used when ssh to a router

interfacedy
Spotlight
Spotlight

Hi Accessing to a router (7200/ios15/192.168.1.16) from Ubuntu via ssh failed as below. It looks like there is no matching cipher. After several tries changing different cipher as below, ssh still cannot access the router. Anyone can share some solutions? Thank you

 

admin1@DESKTOP-935CSD2:~$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

admin1@DESKTOP-935CSD2:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

admin1@DESKTOP-935CSD2:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CSD2:~$

1 Accepted Solution

Accepted Solutions

No need to go to cd ssh_config

 

ssh_config is the file

 

get in to sudo

 

follow below steps :

 

$sudo su  ( trype root password)

#cd /etc/ssh

#ls  ( you see ssh_config file)

# vi ssh_config  ( use arrow to go end of the files)

   Press "i" to insert 

 

copy below line as suggested :

 

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

 

use mouse to copy and right click to paste (if you using putty)

once its pasted

 

press ESC key

 

type :wq (write the file)

 

restart ssh service - systemctl restart ssh

 

below guide helo you :

 

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0/340853

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

12 Replies 12

@interfacedy The 7200 is old, so might not actually support the latest and most secure ciphers that ubuntu does. Run "show ip ssh" to determine what the 7200 supports.

balaji.bandi
Hall of Fame
Hall of Fame

Try 

 

$ ssh -c  diffie-hellman-group1-sha1 admin@192.168.1.16

 

Legacy support :

 

https://www.openssh.com/legacy.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

interfacedy
Spotlight
Spotlight

@rob, What model can we can try instead of 7200? but the 7200 has new ios version 15

 

R7200#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4O7wAiNzdD2WG4Efq+loV5GQVhxsfJCVFjejNG6Y2
3WmEt80EPtLoB8AhcmYuvV/1SPc9z9jQ532D9ri2tO7SACBXtBiTzMYpnp9Y/CZLtnNOWEB5sgEMH2ri
PfyBr5Pksfc4KC0NcUZZnieC5hBRZRZtuLqPDUjjeWDGj8kt6Q==
R7200#
R7200#sh run | i ssh
ip ssh version 2
transport input telnet ssh

 

admin1@DESKTOP-935CSD2:~$ ssh -c diffie-hellman-group1-sha1 admin@192.168.1.16
Unknown cipher type 'diffie-hellman-group1-sha1'

have replied other post try below guide @

 

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi I am trying to setup ansible at Ubuntu sitting at a PC to send commands to routers/switches, but failed. Then I found the issue is these routers rufuse the client(Ubuntu) connection. Accessing to a router (7200/ver15/192.168.1.16) from Ubuntu via ssh failed as below. It looks like there is no matching cipher. After several changing different cipher as below, ssh still cannot access the router. Anyone can help to resolve the issue? Thank you

 

admin1@DESKTOP-935CS:~$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

admin1@DESKTOP-935CS:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

admin1@DESKTOP-935CS:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CS:~$

@interfacedy the 7200 is so old is does not support the stronger DH algorithms the ubuntu server is attempting to connect with. You can modify the ubuntu server configuration to use DH group 1 or 14 as per the error message. On the ubuntu server modify /etc/ssh/ssh_config file and add the following at the end of the file.

 

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

 Save the file, restart the service using service ssh restart and connect again.

interfacedy
Spotlight
Spotlight

Hi Rob, Thanks for your reply. I have had the issue for so long time and hope to resolve it asap. Now let me reply your reply:

You said "the 7200 is so old is does not support the stronger DH ... " The 7200 that I am using is using ios version15.2. It can be used? or change ios to other ios. If its so old, what kind of ios should I use? 

Second, there is not ssh_config folder under ssh folder, but there are two similar ones under ssh folder. I got the below response when I added the commands. Is there an issue in Ubuntu?

 

 

 

 

No need to go to cd ssh_config

 

ssh_config is the file

 

get in to sudo

 

follow below steps :

 

$sudo su  ( trype root password)

#cd /etc/ssh

#ls  ( you see ssh_config file)

# vi ssh_config  ( use arrow to go end of the files)

   Press "i" to insert 

 

copy below line as suggested :

 

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

 

use mouse to copy and right click to paste (if you using putty)

once its pasted

 

press ESC key

 

type :wq (write the file)

 

restart ssh service - systemctl restart ssh

 

below guide helo you :

 

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0/340853

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

interfacedy
Spotlight
Spotlight

Hi, I used nano instead of vi to edit it since not that familar with vi. I added that commands to ssh_config sucessfully. but as following, it still cannot reach the router. The link that you showed above is very same as my situation, but my case cannot go through. I tried it several times in case some of typo. I think there are two ways that I still can try: one is change Ubuntu to earlir version or change router to a new version. Is this right direction?

 

admin1@DESKTOP-935CSD2:/etc/ssh$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc admin@192.168.1.16
ssh_dispatch_run_fatal: Connection to 192.168.1.16 port 22: Invalid key length 

"Invalid key length" what it mean? How can i correct it? 

---------------------- added Cipher:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

 

admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15
/etc/ssh/ssh_config line 56: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'.

Thanks

admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15
/etc/ssh/ssh_config line 56: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'.

it is giving an error on line 56.

 

post output from Linux

 

cat /etc/ssh/ssh_config

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

interfacedy
Spotlight
Spotlight

Please see below:

admin1@DESKTOP-935CSD2:/etc/ssh$ cat /etc/ssh/ssh_config

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Include /etc/ssh/ssh_config.d/*.conf

Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes


KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
admin1@DESKTOP-935CSD2:/etc/ssh$

interfacedy
Spotlight
Spotlight

After changing key, finally the issue resolved! Thank you!

Review Cisco Networking for a $25 gift card