OpenSSH 6.4 connection to Cisco 6506 routers/switches fails

mikep at noc.utoronto.ca mikep at noc.utoronto.ca
Thu Jan 9 04:30:09 EST 2014 

On Wed, 8 Jan 2014, Loganaden Velvindron wrote:

> On Tue, Dec 24, 2013 at 12:52 AM,  <mikep at noc.utoronto.ca> wrote:
>> On Wed, 13 Nov 2013, Loganaden Velvindron wrote:
>>
>>> On Wed, Nov 13, 2013 at 2:05 AM, Darren Tucker <dtucker at zip.com.au> wrote:
>>>>
>>>> On Tue, Nov 12, 2013 at 4:40 PM, <mikep at noc.utoronto.ca> wrote:
>>>>
>>>>> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8.
>>>>> Now some (but not all) Cisco router logins hang:
>>>>>
>>>>> debug1: sending SSH2_MSG_KEXDH_INIT
>>>>> debug1: expecting SSH2_MSG_KEXDH_REPLY
>>>>>  [hangs]
>>>>>
>>>>
>>>> Suggestions in approximate order of likelihood.
>>>>  - the additional KexAlgorithms exceed some static buffer in the Cisco.
>>>>  Try:
>>>> "KexAlgorithms
>>>> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
>>>>  - you have some kind of path MTU problem and the extra traffic from the
>>>> additional algorithms pushes you past some packet boundary.  Check the
>>>> "send-q" column on client and the equivalent on the server and see if
>>>> they're non-zero and non-decreasing).
>>>
>>>
>>> Shouldn't Mike open a ticket at CISCO so that they start fixing the
>>> software on their side as well ?
>>
>>
>> Sorry to have taken so long to get back to you about this - your suggestion
>> about "KexAlgorithms" caused me to test a lot of combinations to find what
>> will work. It turns out the Cisco SSH server only supports a limited set of
>> ciphers (this is documented sort-of by Cisco, and is displayed when you try
>> to force a non-supported cipher).
>
> That's short-sighted coming from them.
>
> I have tested and I have the same problem with the latest snapshot. This 
> is very annoying.
>
> Do you have a ticket number where I can also chip in ?

I have no access to open Cisco tickets, and our local router person who
does is still away (like most universities, we've been closed for the
past few weeks).

I'll talk to him when he gets back, but agree this is very annoying.

>> This in turn seems to limit the key exchange mechanisms that will work.
>>
>> Forcing a cipher with '-c' also appears to force something in the Kex for
>> OpenSSH; I can't find anything about Kex in any Cisco docs.
>>
>> I have created a special section of the 'ssh_config' file for those devices
>> with these options, and all seems to be working fine:
>>
>> Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
>> KexAlgorithms
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
>> ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>
>> Thank you for the help!
>>
>>
>>>>> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but
>>>>> removing that makes no difference.
>>>>
>>>>
>>>> That's because Cipher affects only Protocol 1 (which was some time in the
>>>> past the only version at least some Cisco devices spoke).
>>>>
>>>>> However, forcing '-c 3des' does
>>>>> allow it to work (even though '3des' is supposed to be the default):
>>>>
>>>>
>>>> 3des is the default Cipher Protocol 1.  Protocol 2 takes a list (Ciphers)
>>>> and its default is
>>>>
>>>>                 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>>>>                 aes128-gcm at openssh.com,aes256-gcm at openssh.com,
>>>>                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
>>>>                 aes256-cbc,arcfour
>>>>
>>>> the -c option overrides both.
>>>>
>>>> --
>>>> Darren Tucker (dtucker at zip.com.au)
>>>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>>>>     Good judgement comes with experience. Unfortunately, the experience
>>>> usually comes from bad judgement.
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
>> Mike
>> --
>> Mike Peterson                            Information Security Analyst -
>> Audit
>> E-mail: mikep at noc.utoronto.ca                WWW:
>> http://www.noc.utoronto.ca/
>> Tel: 416-978-5230                                           Fax:
>> 416-978-6620

--
Mike Peterson                            Information Security Analyst - Audit
E-mail: mikep at noc.utoronto.ca                WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230                                           Fax: 416-978-6620

More information about the openssh-unix-dev mailing list