Re: Problem with ssh and old switch

Majed Zouhairy · ‎07-05-2018

Peace,

when I ssh into it, it displays the following warning:

the first key-exchange algorithm supported by the server is deffie-helman-group1-sha1 which is below the configured warning threshold...

I tried to regenerate the rsa key with 2048 bits but that didn't help.

sh ver

BOOTLDR: C2960S Boot Loader (C2960S-HBOOT-M) Version 12.2(53r)SE, RELEASE SOFTWARE (fc3)

Is there a way around this except ignoring?

Daniele Giordano · ‎07-05-2018

Check this link:

https://nbctcp.wordpress.com/2018/02/01/error-the-first-key-exchange-algorithm-supported-by-the-server-is-diffie-hellman-group1-sha1/

Reconfigure your client or try an IOS upgrade to version 15.

Regards.

Majed Zouhairy · ‎07-05-2018

Thank you for helping. I was hoping it can be done without an ios upgrade as it is easier to see pigs fly than to propose this here!

Joseph W. Doherty · ‎07-05-2018

As Daniele notes, you really need a newer IOS, with newer SSHv2 support, to avoid this. However, unsure you'll need to upgrade to 15.x to obtain what you need.

Majed Zouhairy · ‎07-05-2018

Yeah I remembered, pigs flying is offensive to believers of fairy tales, While I am very sure that upgrading is the real way.

Majed Zouhairy · ‎07-07-2018

out of interest, and when pigs do fly, is there any license issues with upgrading to the new license?

Joseph W. Doherty · ‎07-07-2018

Usually not. However, for version upgrades, you generally need a maintenance contract (to perform them legally).

Majed Zouhairy · ‎07-09-2018

Do yoг mean to say Buying a cisco product doesn't mean you own it? Can't I get the same switch model bought at a later date and upgrade the old switch with the newer ios? It is quite troublesome to ask the ones we buy cisco from for any kind of help! and thanks for helping out!

Joseph W. Doherty · ‎07-09-2018

When you buy a Cisco network device, you own the hardware but not the software. The software is licensed.

Majed Zouhairy · ‎07-10-2018

So I have to buy a license?

Joseph W. Doherty · ‎07-10-2018

For a 2960S, good chance the answer is yes. BTW, often you cannot obtain a license unless you buy directly from Cisco or an authorized dealer.

paul-d · ‎09-19-2019

ish;

"As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Critical and High severity Cisco Security Advisories."

https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html

Not specific for the issue, however worth considering.

Majed Zouhairy · ‎09-19-2019

and thank you for your feedback

shubhamtater · ‎08-09-2023

Please configure line vty 0 15 with this configuration

transport input ssh