Unable to access Edgecore switch(EdgeCOS) via SSH? Follow
Problem description:
If the openSSH version newer then 7.0(Figure-1) on your operation system, then you might be see some error messages and unable to access switch via SSH(Figure-2).
Figure-1: OpenSSH V7.8p1 of Ubuntu OS.
ts@ts-ThinkPad-T430:~$ ssh -V
OpenSSH_7.8p1, OpenSSL 1.0.2g 1 Mar 2016
Enabling SSH server on switch.
Console#ip ssh crypto host-key generate
Console#configure
Console(config)#ip ssh server
Console(config)#
Console#show ip ssh
SSH Enabled - Version 2.0
Negotiation Timeout : 120 seconds; Authentication Retries : 3
Server Key Size : 768 bits
Figure-2: You may see the following three types of error messages.
ts@ts-ThinkPad-T430:~$ ssh admin@192.168.30.254
Unable to negotiate with 192.168.30.254 port 22: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1
ts@ts-ThinkPad-T430:~$
ts@ts-ThinkPad-T430:~$ ssh admin@192.168.30.254
Unable to negotiate with 192.168.30.254 port 22: no matching host key type found.
Their offer: ssh-dss
ts@ts-ThinkPad-T430:~$
ts@ts-ThinkPad-T430:~$ ssh admin@192.168.30.254
Unable to negotiate with 192.168.30.254 port 22: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,des-cbc@ssh.com,
des-cbc
Solution:
<1> Adding the option for algorithms when you execute the SSH.
ts@ts-ThinkPad-T430:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1
-oHostKeyAlgorithms=+ssh-dss -c aes128-cbc admin@192.168.30.254
The authenticity of host '192.168.30.254 (192.168.30.254)' can't be established.
DSA key fingerprint is SHA256:MSm7td0VkWmmZHJXuo73ZCrQqZQz7pDFaxF7UANaa7Q.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.30.254' (DSA) to the list of known hosts.
admin@192.168.30.254's password:
***************************************************************
WARNING - MONITORED ACTIONS AND ACCESSES
Station's information:
Floor / Row / Rack / Sub-Rack
/ / /
DC power supply:
Power Source A: Floor / Row / Rack / Electrical circuit
/ / /
Number of LP:
Position MUX:
IP LAN:
Note:
***************************************************************
CLI session with the ECS4120-28T is opened.
To end the CLI session, enter [Exit].
Vty-1#
<2> Creating the “/.ssh/config” file before you execute the SSH.
ts@ts-ThinkPad-T430:~$ vi .ssh/config
ts@ts-ThinkPad-T430:~$ cat .ssh/config
Host *
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
Ciphers aes128-cbc
ts@ts-ThinkPad-T430:~$ ssh admin@192.168.30.254
admin@192.168.30.254's password:
***************************************************************
WARNING - MONITORED ACTIONS AND ACCESSES
Station's information:
Floor / Row / Rack / Sub-Rack
/ / /
DC power supply:
Power Source A: Floor / Row / Rack / Electrical circuit
/ / /
Number of LP:
Position MUX:
IP LAN:
Note:
***************************************************************
CLI session with the ECS4120-28T is opened.
To end the CLI session, enter [Exit].
Vty-1#
Reference:
[1]https://www.openssh.com/legacy.html
Comments
1 comment
This is a very bad workaround that undermines the entire security of the network! The switches should support modern SSH crypto and key exchange algorithms if they are supposed to be used in a modern enterprise.
Please sign in to leave a comment.