OpenSSH 6.4 connection to Cisco 6506 routers/switches fails

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 13 Nov 2013, Loganaden Velvindron wrote:

> On Wed, Nov 13, 2013 at 2:05 AM, Darren Tucker <dtucker at zip.com.au> wrote:
>> On Tue, Nov 12, 2013 at 4:40 PM, <mikep at noc.utoronto.ca> wrote:
>>
>>> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8.
>>> Now some (but not all) Cisco router logins hang:
>>>
>>> debug1: sending SSH2_MSG_KEXDH_INIT
>>> debug1: expecting SSH2_MSG_KEXDH_REPLY
>>>  [hangs]
>>>
>>
>> Suggestions in approximate order of likelihood.
>>  - the additional KexAlgorithms exceed some static buffer in the Cisco.
>>  Try:
>> "KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
>>  - you have some kind of path MTU problem and the extra traffic from the
>> additional algorithms pushes you past some packet boundary.  Check the
>> "send-q" column on client and the equivalent on the server and see if
>> they're non-zero and non-decreasing).
>
> Shouldn't Mike open a ticket at CISCO so that they start fixing the
> software on their side as well ?

Sorry to have taken so long to get back to you about this - your 
suggestion about "KexAlgorithms" caused me to test a lot of combinations 
to find what will work. It turns out the Cisco SSH server only supports a 
limited set of ciphers (this is documented sort-of by Cisco, and is 
displayed when you try to force a non-supported cipher).

This in turn seems to limit the key exchange mechanisms that will work.

Forcing a cipher with '-c' also appears to force something in the Kex for 
OpenSSH; I can't find anything about Kex in any Cisco docs.

I have created a special section of the 'ssh_config' file for those 
devices with these options, and all seems to be working fine:

Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Thank you for the help!

>>> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but
>>> removing that makes no difference.
>>
>> That's because Cipher affects only Protocol 1 (which was some time in the
>> past the only version at least some Cisco devices spoke).
>>
>>> However, forcing '-c 3des' does
>>> allow it to work (even though '3des' is supposed to be the default):
>>
>> 3des is the default Cipher Protocol 1.  Protocol 2 takes a list (Ciphers)
>> and its default is
>>
>>                 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>>                 aes128-gcm at openssh.com,aes256-gcm at openssh.com,
>>                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
>>                 aes256-cbc,arcfour
>>
>> the -c option overrides both.
>>
>> --
>> Darren Tucker (dtucker at zip.com.au)
>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>>     Good judgement comes with experience. Unfortunately, the experience
>> usually comes from bad judgement.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Mike
--
Mike Peterson                            Information Security Analyst - Audit
E-mail: mikep at noc.utoronto.ca                WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                           Fax: 416-978-6620


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux