On Tue, Dec 24, 2013 at 7:52 AM, <mikep at noc.utoronto.ca> wrote:
[...]
> Sorry to have taken so long to get back to you about this - your suggestion
> about "KexAlgorithms" caused me to test a lot of combinations to find what
> will work. It turns out the Cisco SSH server only supports a limited set of
> ciphers (this is documented sort-of by Cisco, and is displayed when you try
> to force a non-supported cipher).
>
> This in turn seems to limit the key exchange mechanisms that will work.
>
> Forcing a cipher with '-c' also appears to force something in the Kex for
> OpenSSH; I can't find anything about Kex in any Cisco docs.
I'm happy you found something that works, but the SSH protocol 2
negotiation should allow it to negotiate a mutually-compatible set of
algorithms or to definitively tell you that no such set exists. The
fact that it hangs with some settings means there's still a bug in
there somewhere.
Did you get a response from Cisco?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
