Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4151
Views
10
Helpful
4
Replies

SecureCRT SSH2 and IOS 12.4(20)T

jasonp
Level 1
Level 1

‎08-12-2008 12:00 PM - edited ‎03-09-2019 09:15 PM

Hello,

We recently upgrade all of our Cisco routers to 12.4(20)T and are no longer able to connect via SSH2 from any of our network admin consoles. An 'ip ssh debug' results in 'Invalid modulus length'. Has anyone seen this issue before?

Thank you in advance,

Jason

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎08-12-2008 01:00 PM

How long was your modulus when you initially configured SSH? Are your keys still there (show crypto key mypubkey rsa)?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Collin Clark

‎08-12-2008 01:10 PM

I am able to recreate the issue. It might be a bug and I would suggest opening a TAC case. Here's the debug info I got trying to establish a connection. BTW I rebuilt the entire config after the upgrade and got the same results.

*Mar 4 21:06:29.515: SSH0: starting SSH control process

*Mar 4 21:06:29.515: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

*Mar 4 21:06:29.519: SSH0: protocol version id is - SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT

*Mar 4 21:06:29.519: SSH2 0: send:packet of length 344 (length also includes padlen of 5)

*Mar 4 21:06:29.519: SSH2 0: SSH2_MSG_KEXINIT sent

*Mar 4 21:06:29.519: SSH2 0: ssh_receive: 464 bytes received

*Mar 4 21:06:29.519: SSH2 0: input: total packet length of 464 byte

ssh-test#s

*Mar 4 21:06:29.523: SSH2 0: partial packet length(block size)8 bytes,needed 456 bytes,

maclen 0

*Mar 4 21:06:29.523: SSH2 0: input: padlength 9 bytes

*Mar 4 21:06:29.523: SSH2 0: SSH2_MSG_KEXINIT received

*Mar 4 21:06:29.523: SSH2:kex: client->server enc:aes256-cbc mac:hmac-sha1

*Mar 4 21:06:29.523: SSH2:kex: server->client enc:aes256-cbc mac:hmac-sha1

*Mar 4 21:06:29.523: SSH2 0: ssh_receive: 24 bytes received

*Mar 4 21:06:29.523: SSH2 0: input: total packet length of 2

ssh-test#4 bytes

*Mar 4 21:06:29.523: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes,

maclen 0

*Mar 4 21:06:29.523: SSH2 0: input: padlength 6 bytes

*Mar 4 21:06:29.527: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received

*Mar 4 21:06:29.527: SSH2 0: Range sent by client is - 1024 < 2046 < 2046

*Mar 4 21:06:29.527: SSH2 0: Invalid modulus length

*Mar 4 21:06:29.627: SSH0: Session disconnected - error 0x00

Hope that helps.

0 Helpful

cwatts
Level 1
Level 1
In response to Collin Clark

‎08-12-2008 01:17 PM

VanDyke is aware and a recent SecureCRT beta has been released to address the issue:

http://www.vandyke.com/products/beta/securecrt/history.txt

Sure would be nice to disable this new strict checking in IOS, though.

0 Helpful

jasonp
Level 1
Level 1
In response to cwatts

‎08-14-2008 11:51 AM

VanDyke software provided a solution:

The new Cisco IOS it seems, requires that the modulus size meet certain criteria that is not specified in the SSH draft.

The following has been known to resolve the issue for other customers encountering this issue:

1. In the 'SSH2' category of the Session Options dialog, select the 'diffie-hellman' key exchange method (without changing any of the checkboxes), and click the up arrow to move this method to the top of the list.

2. Click 'OK' to exit the Session Options dialog and attempt the connection again.

If your version of SecureCRT does not have this option then each of the session ini files will need to be modified. You must move 'diffie-hellman-group1-sha1' to the front of the list on line 'S:"Key Exchange Algorithms"'

Jason

Customers Also Viewed These Support Documents