Results 1 to 4 of 4

Thread: can't ssh to cisco IOS switch

  1. #1

    Default can't ssh to cisco IOS switch

    Hi,
    I'm still newbie in OpenSuse and linux in general.
    Running on Leap 42.3 (with defaults settings what related to ssh) in same LAN with cisco catalyst 3750 switch which is running already year or two but never did try to ssh from Opensuse console, usually I'm using Putty on Windows.
    Switch configured with default ssh conf to access it. There is no ACL rules.
    I have copied ssh related settings
    Code:
    SW3#sh run
    !
    hostname SW3
    
    username bulve privilege 15 password 7 15000A0
    
    ip domain-name are.lab
    !
    crypto pki trustpoint TP-self-signed-669718912
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-669718912
     revocation-check none
     rsakeypair TP-self-signed-669718912
    !
    !
    crypto pki certificate chain TP-self-signed-669718912
     certificate self-signed 01
      30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 36363937 31383931 32301E17 0D393330 33303130 30303131
      quit
    !
    ip ssh version 2
    
    interface Vlan1
     ip address 192.168.0.8 255.255.255.0
    !
    ip default-gateway 192.168.0.1
    ip classless
    !
    line vty 0 4
     exec-timeout 6666 0
     logging synchronous
     login local
     transport input telnet ssh
    line vty 5
     exec-timeout 6666 0
     logging synchronous
     login local
     transport input telnet ssh
    line vty 6 15
     login
    end
    By the way I can connect from same box with telenet.

    But have trouble with ssh. There is the error message when I'm trying to connect
    Code:
    are@WORKSTATION:~> ssh bulve@192.168.0.8
    Unable to negotiate with 192.168.0.8 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
    This is my /etc/ssh/ssh_config file
    Code:
    #    $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
    
    # This is the ssh client system-wide configuration file.  See
    # ssh_config(5) for more information.  This file provides defaults for
    # users, and the values can be changed in per-user configuration files
    # or on the command line.
    
    # Configuration data is parsed as follows:
    #  1. command line options
    #  2. user-specific file
    #  3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.
    
    # Site-wide defaults for some commonly used options.  For a comprehensive
    # list of available options, their meanings and defaults, please see the
    # ssh_config(5) man page.
    
    # Minimum accepted size of the DH parameter p. By default this is set to 1024
    # to maintain compatibility with RFC4419, but should be set higher.
    # Upstream default is identical to setting this to 2048.
    # KexDHMin 1024
    
    Host *
    #   ForwardAgent no
    #   ForwardX11 no
    
    # If you do not trust your remote host (or its administrator), you
    # should not forward X11 connections to your local X11-display for
    # security reasons: Someone stealing the authentification data on the
    # remote side (the "spoofed" X-server by the remote sshd) can read your
    # keystrokes as you type, just like any other X11 client could do.
    # Set this to "no" here for global effect or in your own ~/.ssh/config
    # file if you want to have the remote X11 authentification data to 
    # expire after twenty minutes after remote login.
        ForwardX11Trusted yes
    
    # This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL
    
    #   RhostsRSAAuthentication no
    #   RSAAuthentication yes
    #   PasswordAuthentication yes
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   GSSAPIKeyExchange no
    #   GSSAPITrustDNS no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/identity
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
       Protocol 2
    #   Cipher 3des
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h
    Only thing I have changed is uncomment Protocol 2 after unsuccessful attempt.


    Thank you for any ideas.

  2. #2

    Default Re: can't ssh to cisco IOS switch

    On 04/20/2018 04:16 PM, tasik wrote:
    > Unable to negotiate with 192.168.0.8 port 22: no matching key exchange

    method found. Their offer: diffie-hellman-group1-sha1

    Try the following from the client to get around the old obsolete security
    standards of your Cisco device:

    Code:
    ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.0.8
    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: can't ssh to cisco IOS switch

    Besides what ab suggested,
    I'm going to guess that Cisco has a firmware update you should install.
    Flash your switch with the firmware update and that should solve your problem properly.

    FYI -
    Diffie-hellman is a fairly standard method initiating exchange of "secrets" when any kind of security connection is set up. More than a year ago, serious flaws were published publicly which caused just about everybody to have to patch their products. It's certain that all current openSUSE like most only offer patched libraries today, but if you have year or older equipment that requires encryption, those will have to be upgraded as well.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4

    Default Re: can't ssh to cisco IOS switch

    Thank you guys for your reply, nice to know that I'm here not alone )
    Yes guys from gns3 forum dropped an link https://www.openssh.com/legacy.html
    Will update here about my success to patch my switch.


    Thanks again.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •