We have the same problem. We

bgardner · ‎09-01-2016

We have a Catalyst 4506 switch with Supervisor IV model WS-X4515, ROM version 12.2(20r)EW1, IOS version 12.2(52)SG.

When connecting to this unit via SSH for administration from Linux (ex: Fedora 24, OpenSSH v7.2p2), fails with message:

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

We can connect successfully with SSH command line option:

-oKexAlgorithms=+diffie-hellman-group1-sha1

Can the switch be configured to use a stronger key exchange algorithm? If not, is it due to hardware limitation? Are stronger algorithms supported by newer IOS versions?

Harrie Hendriks · ‎11-08-2016

We have the same problem. We are using SecureCRT with SSH2 to manage the catalyst 4500 and the catalyst 6500 switches.

The CAT4500 swithces are with Sup IV (4506) and Sup V (4510). We are using IOS version 15.0(2)SG10

The CAT 6500 switches are with Sup32 and the IOS version is 12.2(33)SXI14

SecureCRT gives the following answere:

Key exchange failed.
No compatible key-exchange method. The server supports these methods: diffie-hellman

The diffie-hellman key-exchange method is off by default to address the Logjam
vulnerability. It can be turned on in the Sessions Options dialog in the
Connection/SSH2 category in order to connect to servers that only support
diffie-hellman.

To switch the diffie-hellman jey exchange to on we can manage the switch, but can the cat4500 and /or the cat6500 switch have a stronger key-exchange?

ปลาวาฬทราย RMUTT CPE IX · ‎04-24-2018

I found it on 1841 with Version 12.4(19). Which start version no need to edit the SecureCRT?

Thank you very much.

Catalyst 4500 series- Stronger key exchange algorithm?