OpenSSH 6.4 connection to Cisco 6506 routers/switches fails

Loganaden Velvindron loganaden at gmail.com
Wed Nov 13 16:44:21 EST 2013 

On Wed, Nov 13, 2013 at 2:05 AM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Nov 12, 2013 at 4:40 PM, <mikep at noc.utoronto.ca> wrote:
>
>> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8.
>> Now some (but not all) Cisco router logins hang:
>>
>> debug1: sending SSH2_MSG_KEXDH_INIT
>> debug1: expecting SSH2_MSG_KEXDH_REPLY
>>  [hangs]
>>
>
> Suggestions in approximate order of likelihood.
>  - the additional KexAlgorithms exceed some static buffer in the Cisco.
>  Try:
> "KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
>  - you have some kind of path MTU problem and the extra traffic from the
> additional algorithms pushes you past some packet boundary.  Check the
> "send-q" column on client and the equivalent on the server and see if
> they're non-zero and non-decreasing).

Shouldn't Mike open a ticket at CISCO so that they start fixing the
software on their side as well ?

>
>
>> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but
>> removing that makes no difference.
>
>
> That's because Cipher affects only Protocol 1 (which was some time in the
> past the only version at least some Cisco devices spoke).
>
>
>> However, forcing '-c 3des' does
>> allow it to work (even though '3des' is supposed to be the default):
>>
>
> 3des is the default Cipher Protocol 1.  Protocol 2 takes a list (Ciphers)
> and its default is
>
>                 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>                 aes128-gcm at openssh.com,aes256-gcm at openssh.com,
>                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
>                 aes256-cbc,arcfour
>
> the -c option overrides both.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

More information about the openssh-unix-dev mailing list