AWS ASAv Unable to login in - key exchange method not found.

RohitGupta857 · ‎10-26-2020

I am not able to login to the ASAv device on AWS. I get the following message when I try from another EC2 (ubuntu 16.04)

no matching key exchange method found. Their offer: diffie-hellman-group14-sha256

When I try from my Mac - I just get

no matching key exchange method found

Aref Alsouqi · ‎10-26-2020

Try to use DH group14 sha1 from the clients (Linux & Mac).

Aref Alsouqi · ‎10-26-2020

I found this that should work on Mac OS X, not sure about Linux:

ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 <the username>@<the ASA IP address>

RohitGupta857 · ‎10-26-2020

Thanks.

I am using the virtual appliance on AWS - so I am not able to login into to make any changes. I tried a few things to update the Mac or EC2 to support SHA256 but have not been successful.

RohitGupta857 · ‎10-26-2020

Thanks for all the help - but no luck so far.

Also the =+ did not work at all. So I had to try it with just =.

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group14-sha256
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc
debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc
debug2: kex_parse_kexinit: hmac-sha2-256
debug2: kex_parse_kexinit: hmac-sha2-256
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: kex: client->server aes128-ctr hmac-sha2-256 none

ngkin2010 · ‎10-27-2020

Hi,

Your client don't allow sha256?

Can you try the following instead:

ssh -oKexAlgorithms=+diffie-hellman-group14-sha256 <the username>@<the ASA IP address>

	Client's Proposal	Server's Proposal
KEX Algorithms	diffie-hellman-group14-sha1	diffie-hellman-group14-sha256
Key Algorithms	...<ommitted>... ,ssh-rsa,ssh-dss	ssh-rsa
Ciphers	chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,...<ommitted>... ,	aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc
MAC Algorithms	...<ommitted>... ,,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,...<ommitted>... ,	hmac-sha2-256

Aref Alsouqi · ‎10-27-2020

Try again please with the same command replacing DH group 14 with group 1.

RohitGupta857 · ‎10-27-2020

I have tried both these commands

ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha256 -i admin@
ssh -vvv -oKexAlgorithms=+diffie-hellman-group1-sha256 -i admin@

And both result in the following output
Unsupported KEX algorithm "diffie-hellman-group14-sha256”
Unsupported KEX algorithm "diffie-hellman-group1-sha256”

But, I was able to use a different client to overcome this error.

Thank you so much for the help.

RohitGupta857 · ‎10-27-2020

I upgraded my clients to support group14-sh256 and was able to login to the ASAv.

You need to make sure that ssh client supports this key exchange.

AWS ASAv Unable to login in - key exchange method not found.

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)