Define which key exchange algorithms to use on Cisco 3925 when ssh'ing to a linux server?

jonathan.e.brown · ‎04-30-2021

I'm having issues SSH'ing from a Cisco 3925 router to a FIPS enabled and hardened Linux server. The Cisco 3925 is on IOS version 15.7(3).M7.

The Linux server (RHEL 7) is configured with the following defined in its SSH server config:

Ciphers aes128-ctr,aes192-ctr,aes265-ctr

MACs hmac-sha2-256,hmac-sha2-512

My understanding is that the Linux server will not successfully handshake with a client (the Cisco 3925 router) that does not also support those algorithms. When tailing the SSH log file on the server, I see the following error message:

"Unable to negotiate with 172.16.10.1: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14.sha1 [preauth]"

This seems to indicate that the Cisco 3925 is not configured to or attempting to use an algorithm that is found in the Linux server's config.

Is there a way to adjust the Cisco 3925's configuration such that it will use a stronger encryption or key exchange algorithm?

Thanks!

marce1000 · ‎04-30-2021

>Is there a way to adjust the Cisco 3925's configuration such that it will use a stronger encryption or key exchange algorithm

Generally not and or the limits are correlated to the current IOS version being used. Perhaps a more recent version could support stronger ciphers. But usually IOS is 'weak' on that matter.... Better to SSH from another Linux box (e.g.), not from routers or switches.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !