OpenSSH 6.4 connection to Cisco 6506 routers/switches fails

Loganaden Velvindron loganaden at gmail.com
Wed Jan 8 22:49:21 EST 2014


On Tue, Dec 24, 2013 at 4:00 AM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Dec 24, 2013 at 7:52 AM,  <mikep at noc.utoronto.ca> wrote:
> [...]
>> Sorry to have taken so long to get back to you about this - your suggestion
>> about "KexAlgorithms" caused me to test a lot of combinations to find what
>> will work. It turns out the Cisco SSH server only supports a limited set of
>> ciphers (this is documented sort-of by Cisco, and is displayed when you try
>> to force a non-supported cipher).
>>
>> This in turn seems to limit the key exchange mechanisms that will work.
>>
>> Forcing a cipher with '-c' also appears to force something in the Kex for
>> OpenSSH; I can't find anything about Kex in any Cisco docs.
>
> I'm happy you found something that works, but the SSH protocol 2
> negotiation should allow it to negotiate a mutually-compatible set of
> algorithms or to definitively tell you that no such set exists.  The
> fact that it hangs with some settings means there's still a bug in
> there somewhere.
>
> Did you get a response from Cisco?

Off topic:
I tried connecting to a CISCO router and it doesn't offer blowfish as
a cipher :-(

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#qa8

I think it's time we all start lobbying CISCO to ship the new
cipher/mac/kex algorithms that are going
to ship with OpenSSH 6.5 when it's going to be released.





>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.


More information about the openssh-unix-dev mailing list