SSH Version error puTTy

cristicks · ‎05-08-2017

I am using a small home lab and trying to set up SSH on all my devices. I was successful setting it up on my switch but, when I try to SSH from my pc to my 2621XM router I'm getting a error in puTTY :

SSH protocol version 2 required by our configuration but the server only provides (old, insecure) SSH-1.

I understand that SSH v1 is unsecure and I have tried to re-configure using "2" after rsa but I get an "invalid input " with the marking pointing to the "2" character.

Any tips on how to configure this router to use SSH v2 ?

Is this 2621XM router even capable of using SSHv2?

Pardon the ignorance, I'm am a beginner trying to get some well needed practice here at home with real equipment.

Appreciate any help.

chrihussey · ‎05-09-2017

I have two 2651XMs, one is running "c2600-adventerprisek9-mz.123-14.T5.bin" and the "ip ssh version 2" command is available, I have another running "c2600-jk9s-mz.123-15.bin" and it is not. Reference the link below which shows you the command and the versions of code which it should be available. Unfortunately the trick will be getting your hands on a 2600 IOS as the routers are EOL.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp9081909290

Also, if this is only a lab, you can set Putty to do SSH v1 easy enough.

cristicks · ‎05-09-2017

Hello,

This is the IOS that my 2621XM is running:

"flash:c2600-advsecurityk9-mz.123-9b.bin"

I also already have these other IOS's:

-c1700-adventerprisek9-mz.124-25d

-c1700-adventerprisek9-mz.124-15.T14

-c2691-adventerprisek9-mz.124-25d

-c3725-adventerprisek9-mz.124-15.T14

-c3725-adventerprisek9-mz.124-25d

-c7200-adventerprisek9-mz.124-24.T8

-c7200-adventerprisek9-mz.152-4.S3

Not sure if I should try removing it and replacing it with c2691-adventerprisek9-mz.124-25d.

Yes, this is only a lab. If it is possible to set putty to do SSH1, that would make my life a little easier. Could you help me with that? In the meantime I will search how.

Thanks for your help

Julio E. Moisa · ‎05-09-2017

Hi

Unfortunately these IOS's cannot be used on your router. As this router was manufactured a long time ago it does not have support.

If you want to provide strong security I recommend at least use access-list to control the access remotely.

The c2691-adventerprisek9-mz.124-25d should not be used on the router.

Please check this link:

http://www.cisco.com/en/US/products/ps6441/products_tech_note09186a00804afba7.shtml

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

bersoare · ‎10-31-2017

Yes, there is a way of configuring putty to use V1, just open putty then click on SSH in the left hand side of the connection screen. By default, it is v2 only.

As Julio said above, generating a RSA with modulus of 768 or higher should enable support to ssh version 1.99, which is almost always compatible with ssh v2.

Julio E. Moisa · ‎05-09-2017

Hi

This router should support ssh v2 but not really sure about the IOS, but you can try executing the following configuration, this is just an example:

Example:

conf t

username cisco priv 15 pass cisco1

no aaa-new model

ip domain name mydomain.com
ip ssh version 2
ip ssh authen 3
ip ssh time 60
crypto key generate rsa (use 1024)

line vty 0 15 or line vty 0 4
transport input ssh
login local

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

cristicks · ‎05-09-2017

Hello Julio,

I entered those commands and got as far as the 4th line (ip ssh version 2) and got this:

R1(config)#ip ssh version 2
^
% Invalid input detected at '^' marker.

which makes me think that this routers IOS doesn't allow SSH2.

This is the show ver:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(9b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 18-Aug-04 18:58 by dchih
Image text-base: 0x80008098, data-base: 0x81309D74

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)

R1 uptime is 50 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advsecurityk9-mz.123-9b.bin"

*Mar 1 00:50:58.075: %SYS-5-CONFIG_I: Configured from console by consoleal laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco 2621XM (MPC860P) processor (revision 0x301) with 126976K/4096K bytes of memory.
Processor board ID FOC083011NY (1640073437)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Virtual Private Network (VPN) Module(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

I might be able to get my hands on a different IOS which will support SSH2, I'm just not sure which IOS will. These are the IOS's that I already have.

-c1700-adventerprisek9-mz.124-25d

-c1700-adventerprisek9-mz.124-15.T14

-c2691-adventerprisek9-mz.124-25d

-c3725-adventerprisek9-mz.124-15.T14

-c3725-adventerprisek9-mz.124-25d

-c7200-adventerprisek9-mz.124-24.T8

-c7200-adventerprisek9-mz.152-4.S3

Not sure if any of these will do???

Thanks for your help!

Julio E. Moisa · ‎09-24-2017

Hi

That IOS should be able to configure SSH ver 2, could you please run show ip ssh, it will show the version.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

paul driver · ‎11-05-2017

Hello

what is the output of - show ip ssh ?

If you dont even get as far as ssh then it seems to suggest that ios does not support the protocol.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul