01-09-2022 08:19 AM
Hi Accessing to a router (7200/ios15/192.168.1.16) from Ubuntu via ssh failed as below. It looks like there is no matching cipher. After several tries changing different cipher as below, ssh still cannot access the router. Anyone can share some solutions? Thank you
admin1@DESKTOP-935CSD2:~$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CSD2:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
admin1@DESKTOP-935CSD2:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CSD2:~$
Solved! Go to Solution.
01-15-2022 03:31 PM
No need to go to cd ssh_config
ssh_config is the file
get in to sudo
follow below steps :
$sudo su ( trype root password)
#cd /etc/ssh
#ls ( you see ssh_config file)
# vi ssh_config ( use arrow to go end of the files)
Press "i" to insert
copy below line as suggested :
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
use mouse to copy and right click to paste (if you using putty)
once its pasted
press ESC key
type :wq (write the file)
restart ssh service - systemctl restart ssh
below guide helo you :
01-09-2022 08:29 AM - edited 01-09-2022 08:54 AM
@interfacedy The 7200 is old, so might not actually support the latest and most secure ciphers that ubuntu does. Run "show ip ssh" to determine what the 7200 supports.
01-09-2022 10:27 AM
Try
$ ssh -c diffie-hellman-group1-sha1 admin@192.168.1.16
Legacy support :
https://www.openssh.com/legacy.html
01-09-2022 12:42 PM - edited 01-09-2022 12:45 PM
@rob, What model can we can try instead of 7200? but the 7200 has new ios version 15
R7200#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4O7wAiNzdD2WG4Efq+loV5GQVhxsfJCVFjejNG6Y2
3WmEt80EPtLoB8AhcmYuvV/1SPc9z9jQ532D9ri2tO7SACBXtBiTzMYpnp9Y/CZLtnNOWEB5sgEMH2ri
PfyBr5Pksfc4KC0NcUZZnieC5hBRZRZtuLqPDUjjeWDGj8kt6Q==
R7200#
R7200#sh run | i ssh
ip ssh version 2
transport input telnet ssh
admin1@DESKTOP-935CSD2:~$ ssh -c diffie-hellman-group1-sha1 admin@192.168.1.16
Unknown cipher type 'diffie-hellman-group1-sha1'
01-09-2022 05:05 PM
have replied other post try below guide @
https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344
01-15-2022 09:16 AM - edited 01-15-2022 09:20 AM
Hi I am trying to setup ansible at Ubuntu sitting at a PC to send commands to routers/switches, but failed. Then I found the issue is these routers rufuse the client(Ubuntu) connection. Accessing to a router (7200/ver15/192.168.1.16) from Ubuntu via ssh failed as below. It looks like there is no matching cipher. After several changing different cipher as below, ssh still cannot access the router. Anyone can help to resolve the issue? Thank you
admin1@DESKTOP-935CS:~$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CS:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
admin1@DESKTOP-935CS:~$ ssh -c aes256-cbc admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
admin1@DESKTOP-935CS:~$
01-15-2022 10:28 AM
@interfacedy the 7200 is so old is does not support the stronger DH algorithms the ubuntu server is attempting to connect with. You can modify the ubuntu server configuration to use DH group 1 or 14 as per the error message. On the ubuntu server modify /etc/ssh/ssh_config file and add the following at the end of the file.
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Save the file, restart the service using service ssh restart and connect again.
01-15-2022 03:13 PM - edited 01-16-2022 05:26 PM
Hi Rob, Thanks for your reply. I have had the issue for so long time and hope to resolve it asap. Now let me reply your reply:
You said "the 7200 is so old is does not support the stronger DH ... " The 7200 that I am using is using ios version15.2. It can be used? or change ios to other ios. If its so old, what kind of ios should I use?
Second, there is not ssh_config folder under ssh folder, but there are two similar ones under ssh folder. I got the below response when I added the commands. Is there an issue in Ubuntu?
01-15-2022 03:31 PM
No need to go to cd ssh_config
ssh_config is the file
get in to sudo
follow below steps :
$sudo su ( trype root password)
#cd /etc/ssh
#ls ( you see ssh_config file)
# vi ssh_config ( use arrow to go end of the files)
Press "i" to insert
copy below line as suggested :
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
use mouse to copy and right click to paste (if you using putty)
once its pasted
press ESC key
type :wq (write the file)
restart ssh service - systemctl restart ssh
below guide helo you :
01-15-2022 07:47 PM - edited 01-15-2022 08:42 PM
Hi, I used nano instead of vi to edit it since not that familar with vi. I added that commands to ssh_config sucessfully. but as following, it still cannot reach the router. The link that you showed above is very same as my situation, but my case cannot go through. I tried it several times in case some of typo. I think there are two ways that I still can try: one is change Ubuntu to earlir version or change router to a new version. Is this right direction?
admin1@DESKTOP-935CSD2:/etc/ssh$ ssh admin@192.168.1.16
Unable to negotiate with 192.168.1.16 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc admin@192.168.1.16
ssh_dispatch_run_fatal: Connection to 192.168.1.16 port 22: Invalid key length
"Invalid key length" what it mean? How can i correct it?
---------------------- added Cipher:
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15
/etc/ssh/ssh_config line 56: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'.
Thanks
01-16-2022 02:06 AM
admin1@DESKTOP-935CSD2:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.15 /etc/ssh/ssh_config line 56: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr'.
it is giving an error on line 56.
post output from Linux
cat /etc/ssh/ssh_config
01-16-2022 07:09 AM
Please see below:
admin1@DESKTOP-935CSD2:/etc/ssh$ cat /etc/ssh/ssh_config
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
admin1@DESKTOP-935CSD2:/etc/ssh$
01-16-2022 04:26 PM
After changing key, finally the issue resolved! Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide