06-11-2022 06:50 PM
Home router I cannot SSH
can telnet in fine so now I am wondering what is wrong with my set up
using ubntu freeradius
under /etc/freeradius/3.0/clients.conf I have defined
client 10.2.2.5{
secret=Fak1
nastype=cisco
}
under /etc/init.d/freeradius users
engineer Cleartext-Password := "cisco12345"
Service-Type = NAS-Prompt-User
I restart the radius server
and telnet in from R2 --> Home OK
telnet Ubuntu --> Home OK
SSH -1 engineer 10.2.2.5
Password: cisco12345
Password: cisco12345
connection to 10.2.2.5 closed by foreing host
ubuntu
Telnet --> Ok
SSh -l engineer 10.2.2.5
unable to negotiate with 10.2.2.5 port 22: no matching cipher found
Their offer : aes128-cbd,3des-cbc, aes192-cbc, aes256-cbc
on home router:*Jun 12 01:45:47.967: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
Show Run:
*Jun 12 01:34:59.631: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
*Jun 12 01:45:47.967: SSH2 0: no matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
R2-DHCP-NTP#$m,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,[~
*Jun 12 01:45:47.967: SSH2 0: no matching cipher found: client chacha20-poly1305^@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,[~
% Invalid input detected at '^' marker.Building configuration...
Current configuration : 1555 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-DHCP-NTP
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$0XA1$BklW97j85luhkZLb3d.jB0 (Fak1)
!
aaa new-model
!
!
!
!
aaa session-id common
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip domain name Fak1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username Fak1 secret 5 $1$dHtw$U6C7nGCDPm/H.Z4AC0Su2/
username Fak1password 0 Fak1
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
ip ssh time-out 2
ip ssh authentication-retries 2
!
!
!
!
interface FastEthernet0/0
ip address 10.2.2.5 255.255.255.0
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
radius-server configure-nas
radius-server host 10.2.2.6 auth-port 1645 acct-port 1646 key Fakoor
radius-server host 10.2.2.6 auth-port 1812 acct-port 1813
radius-server key Fakoor
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password Fakoor
login authentication Fakoor
transport input all
!
06-11-2022 07:11 PM - edited 06-11-2022 07:54 PM
Update
SSH works fine except when SSH from Ubuntu so I believe it is some type of authentication mismatch but I am not sure
06-12-2022 01:53 AM
It will probably be because your router only supports a set of ciphers that your Ubuntu client thinks are insecure.
On the Ubuntu client "ssh -Q cipher" will show you which ciphers it supports and if any of them match the router ones then just specify the cipher when you connect ie.
ssh -c <cipher>
Jon
06-12-2022 12:35 PM
I didn't see this b4 thank you I will try it
06-12-2022 12:51 PM
Hello @hfakoor222 ,
the message no common cypher found means that the Ubuntu box does not accept any of the proposed cypher algorythms
so @Jon Marshall is right.
I can add that from windows 10 when using Bitwise SSH client I see similar results and with Putty 0.67 64 bit for older boxes I need to use as a workaround to abe able to access them the following:
instead of SSH I use other then I select bare ssh-session I select TCP port 22 and that point I am able to connect.
Hope to help
Giuseppe
06-11-2022 10:44 PM
Bump
06-11-2022 11:16 PM
- Means (SSH) client and server can not agree upon a common cipher to secure the connection.
M.
06-12-2022 12:50 PM
Hello,
--> *Jun 12 01:45:47.967: SSH2 0
Looks like your router is configured for version 2 only. Try and set it to version 1/2 (no ssh version 2), so when you do a 'show ip ssh' it should show version 1.99 (which means it supports bothe version 1 and 2)...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide