On Tue, Dec 24, 2013 at 4:00 AM, Darren Tucker <dtucker at zip.com.au> wrote: > On Tue, Dec 24, 2013 at 7:52 AM, <mikep at noc.utoronto.ca> wrote: > [...] >> Sorry to have taken so long to get back to you about this - your suggestion >> about "KexAlgorithms" caused me to test a lot of combinations to find what >> will work. It turns out the Cisco SSH server only supports a limited set of >> ciphers (this is documented sort-of by Cisco, and is displayed when you try >> to force a non-supported cipher). >> >> This in turn seems to limit the key exchange mechanisms that will work. >> >> Forcing a cipher with '-c' also appears to force something in the Kex for >> OpenSSH; I can't find anything about Kex in any Cisco docs. > > I'm happy you found something that works, but the SSH protocol 2 > negotiation should allow it to negotiate a mutually-compatible set of > algorithms or to definitively tell you that no such set exists. The > fact that it hangs with some settings means there's still a bug in > there somewhere. > > Did you get a response from Cisco? Off topic: I tried connecting to a CISCO router and it doesn't offer blowfish as a cipher :-( http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#qa8 I think it's time we all start lobbying CISCO to ship the new cipher/mac/kex algorithms that are going to ship with OpenSSH 6.5 when it's going to be released. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
