OpenSSH 6.4 connection to Cisco 6506 routers/switches fails
Darren Tucker
dtucker at zip.com.au
Wed Nov 13 09:05:17 EST 2013
On Tue, Nov 12, 2013 at 4:40 PM, <mikep at noc.utoronto.ca> wrote:
> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8.
> Now some (but not all) Cisco router logins hang:
>
> debug1: sending SSH2_MSG_KEXDH_INIT
> debug1: expecting SSH2_MSG_KEXDH_REPLY
> [hangs]
>
Suggestions in approximate order of likelihood.
- the additional KexAlgorithms exceed some static buffer in the Cisco.
Try:
"KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
- you have some kind of path MTU problem and the extra traffic from the
additional algorithms pushes you past some packet boundary. Check the
"send-q" column on client and the equivalent on the server and see if
they're non-zero and non-decreasing).
> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but
> removing that makes no difference.
That's because Cipher affects only Protocol 1 (which was some time in the
past the only version at least some Cisco devices spoke).
> However, forcing '-c 3des' does
> allow it to work (even though '3des' is supposed to be the default):
>
3des is the default Cipher Protocol 1. Protocol 2 takes a list (Ciphers)
and its default is
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour
the -c option overrides both.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list