Hello Georg,

I wasn't aware that this has been discussed before.

Another  possibility I was thinking about.  Would a switch/router allow host/key (ssh) based logins, imilar to what can be done between 2 machines (linux/unix)?

thanks,

Ron

Hello,

I think the SSH encryption methods that can be used are rather limited, so I don't know if you can use host/key based logins. Your options are limited to whatever you see under the:

2960(config)#crypto key ?

submenu.

That said. it is possible that higher IOS versions support higher/different encryption algorithms. Which version(s) are you running on your switches ?

Hello Georg,

there's nothing there except lock/unlock a key pair.  The version (12.2, probably really old) I have doesn't allow putting in a custom key.

I am wondering though, is there a way to check the ssh configuration on the switch,  to check and see if it is even using SSH2 instead of 1?  (and if not can I switch to SSH2, or do I need to generate a new rsa key after that?

thanks,

Ron

Ron

You ask "I am wondering though, is there a way to check the ssh configuration on the switch,  to check and see if it is even using SSH2 instead of 1?" I would expect the output of show ip ssh to answer that question. And if it turns out that it is using SSH1 it should be quite possible to change the configuration to specify use of SSH2.

Hi Rick,

it looks like it is just using SSH1, assuming version 1.99 is SSH1 ?;

North#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

North(config)#ip ssh version 2
North(config)#exit

North#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
North#

that didn't solve the key problem though, unless I'd need a new RSA key too.

Ron

Ron

Actually version 1.99 allows both SSH version 1 and version 2. You have now configured the device to use only version 2 (and to refuse attempts that use version 1). Some people configure this because version 2 is more secure than version 1. And some people keep version 1.99 so that they can accept both - are there any clients you want to be able to SSH that use only version 1? You know your own situation and which category you fit into.

But fundamentally your issue is not about version 1 or version 2. It is about the key exchange protocols used by SSH. Your switches/router are running fairly old code and use fairly old key exchange protocols. Without knowing the specific version of code they are running we can not know what their capabilities are to use more sophisticated key exchange protocols. My guess is that the capabilities for more sophisticated key exchange protocols may involve code upgrades. And that might be problematic.

You indicate that you have a work around that does allow access but that it feels like cheating. My advice is to use what works and not to worry about a more elegant solution.

Is this issue resolved or not in CML? I tried the workaround and using Alpine Linux to login, buy ssh still fails for me even after forcing it to used different key algorithm using   <ssh -oKexAlgorithms....>

Please advise?

In my case, I had to specify the following three options for the ssh to work. Make sure to choose every ssh option from the "Their offer:" list when the ssh command fails:

-oKexAlgorithms=diffie-hellman-group-exchange-sha1

-oHostKeyAlgorithms=ssh-rsa

-oCiphers=aes128-cbc

I hope that helps,

to make logging in less of a hassle, in .ssh/config I put something like:

Host north.localdomain
KexAlgorithms diffie-hellman-group1-sha1
Host 192.168.1.2
KexAlgorithms diffie-hellman-group1-sha1
Host south.localdomain
KexAlgorithms diffie-hellman-group1-sha1
Host 192.168.1.3
KexAlgorithms diffie-hellman-group1-sha1

that way ssh, on a specific client/uid uses that keyexchange as an option just for 2 Cisco 2960-s switches only.  Same thing of course, just a less ugly cli command.

Ron

This actually works, thank you tndafa!