03-30-2021 06:03 PM - edited 03-30-2021 06:04 PM
Hello,
I am upgrading workstations to RHEL 8, and I have 2/3 2960-s switches, and also a router (that I keep as a spare), that 'complain when I use ssh to connect to them.
$ ssh admin@south.localdomain
Unable to negotiate with 192.168.1.3 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
So basically, the switch wants to talk that key exchange, which RHEL 8 doesn't want to use (KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c)
can the switches/router be configured to use something newer, one of the above?
Of course I can use something like: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@south.localdomain
but that's like cheating, and would rather not do that.
thanks,
Ron
03-30-2021 10:51 PM
Hello,
there have been numerous discussions regarding this in the past, and as far as I recall, your 'workaround' has so far been the only thing that works.
03-30-2021 10:55 PM
Hello Georg,
I wasn't aware that this has been discussed before.
Another possibility I was thinking about. Would a switch/router allow host/key (ssh) based logins, imilar to what can be done between 2 machines (linux/unix)?
thanks,
Ron
03-30-2021 11:36 PM
Hello,
I think the SSH encryption methods that can be used are rather limited, so I don't know if you can use host/key based logins. Your options are limited to whatever you see under the:
2960(config)#crypto key ?
submenu.
That said. it is possible that higher IOS versions support higher/different encryption algorithms. Which version(s) are you running on your switches ?
03-31-2021 12:07 PM
Hello Georg,
there's nothing there except lock/unlock a key pair. The version (12.2, probably really old) I have doesn't allow putting in a custom key.
I am wondering though, is there a way to check the ssh configuration on the switch, to check and see if it is even using SSH2 instead of 1? (and if not can I switch to SSH2, or do I need to generate a new rsa key after that?
thanks,
Ron
03-31-2021 05:44 PM
Ron
You ask "I am wondering though, is there a way to check the ssh configuration on the switch, to check and see if it is even using SSH2 instead of 1?" I would expect the output of show ip ssh to answer that question. And if it turns out that it is using SSH1 it should be quite possible to change the configuration to specify use of SSH2.
03-31-2021 05:53 PM
Hi Rick,
it looks like it is just using SSH1, assuming version 1.99 is SSH1 ?;
North#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
North(config)#ip ssh version 2
North(config)#exit
North#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
North#
that didn't solve the key problem though, unless I'd need a new RSA key too.
Ron
04-01-2021 01:49 AM
Ron
Actually version 1.99 allows both SSH version 1 and version 2. You have now configured the device to use only version 2 (and to refuse attempts that use version 1). Some people configure this because version 2 is more secure than version 1. And some people keep version 1.99 so that they can accept both - are there any clients you want to be able to SSH that use only version 1? You know your own situation and which category you fit into.
But fundamentally your issue is not about version 1 or version 2. It is about the key exchange protocols used by SSH. Your switches/router are running fairly old code and use fairly old key exchange protocols. Without knowing the specific version of code they are running we can not know what their capabilities are to use more sophisticated key exchange protocols. My guess is that the capabilities for more sophisticated key exchange protocols may involve code upgrades. And that might be problematic.
You indicate that you have a work around that does allow access but that it feels like cheating. My advice is to use what works and not to worry about a more elegant solution.
05-22-2022 04:08 PM
Is this issue resolved or not in CML? I tried the workaround and using Alpine Linux to login, buy ssh still fails for me even after forcing it to used different key algorithm using <ssh -oKexAlgorithms....>
Please advise?
08-13-2022 04:10 PM
In my case, I had to specify the following three options for the ssh to work. Make sure to choose every ssh option from the "Their offer:" list when the ssh command fails:
-oKexAlgorithms=diffie-hellman-group-exchange-sha1
-oHostKeyAlgorithms=ssh-rsa
-oCiphers=aes128-cbc
I hope that helps,
03-31-2021 12:10 PM
to make logging in less of a hassle, in .ssh/config I put something like:
Host north.localdomain
KexAlgorithms diffie-hellman-group1-sha1
Host 192.168.1.2
KexAlgorithms diffie-hellman-group1-sha1
Host south.localdomain
KexAlgorithms diffie-hellman-group1-sha1
Host 192.168.1.3
KexAlgorithms diffie-hellman-group1-sha1
that way ssh, on a specific client/uid uses that keyexchange as an option just for 2 Cisco 2960-s switches only. Same thing of course, just a less ugly cli command.
Ron
08-13-2022 04:06 PM
You can set up an sshd server on the DC, where your Cisco devices are, remotely ssh to it then from that server ssh to whatever switch or router you want.
Please note that you should **only** be exposing the linux/unix server to the public network. This will make sure that the traffic over the WAN is encrypted with the latest algorithms.
04-13-2024 08:38 AM
Add the following configurations on RedHat ssh_config file:
sudo vim /etc/ssh/ssh_config
press i, on the keyboard and paste lines below:
HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
press Escape esc key on keyboard the type :wq and Enter.
SSH will work after that.
07-19-2024 12:08 PM
This actually works, thank you tndafa!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide