[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: OpenSSH 6.4 connection to Cisco 6506 routers/switches fails
From: mikep () noc ! utoronto ! ca
Date: 2014-01-08 17:30:09
Message-ID: Pine.GSO.4.64.1401081227390.17064 () kraken ! noc ! utoronto ! ca
[Download RAW message or body]
On Wed, 8 Jan 2014, Loganaden Velvindron wrote:
> On Tue, Dec 24, 2013 at 12:52 AM, <mikep@noc.utoronto.ca> wrote:
>> On Wed, 13 Nov 2013, Loganaden Velvindron wrote:
>>
>>> On Wed, Nov 13, 2013 at 2:05 AM, Darren Tucker <dtucker@zip.com.au> wrote:
>>>>
>>>> On Tue, Nov 12, 2013 at 4:40 PM, <mikep@noc.utoronto.ca> wrote:
>>>>
>>>>> Just upgraded to OpenSSH_6.4 with OpenSSL 1.0.1e and libz.so.1.2.8.
>>>>> Now some (but not all) Cisco router logins hang:
>>>>>
>>>>> debug1: sending SSH2_MSG_KEXDH_INIT
>>>>> debug1: expecting SSH2_MSG_KEXDH_REPLY
>>>>> [hangs]
>>>>>
>>>>
>>>> Suggestions in approximate order of likelihood.
>>>> - the additional KexAlgorithms exceed some static buffer in the Cisco.
>>>> Try:
>>>> "KexAlgorithms
>>>> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
>>>> - you have some kind of path MTU problem and the extra traffic from the
>>>> additional algorithms pushes you past some packet boundary. Check the
>>>> "send-q" column on client and the equivalent on the server and see if
>>>> they're non-zero and non-decreasing).
>>>
>>>
>>> Shouldn't Mike open a ticket at CISCO so that they start fixing the
>>> software on their side as well ?
>>
>>
>> Sorry to have taken so long to get back to you about this - your suggestion
>> about "KexAlgorithms" caused me to test a lot of combinations to find what
>> will work. It turns out the Cisco SSH server only supports a limited set of
>> ciphers (this is documented sort-of by Cisco, and is displayed when you try
>> to force a non-supported cipher).
>
> That's short-sighted coming from them.
>
> I have tested and I have the same problem with the latest snapshot. This
> is very annoying.
>
> Do you have a ticket number where I can also chip in ?
I have no access to open Cisco tickets, and our local router person who
does is still away (like most universities, we've been closed for the
past few weeks).
I'll talk to him when he gets back, but agree this is very annoying.
>> This in turn seems to limit the key exchange mechanisms that will work.
>>
>> Forcing a cipher with '-c' also appears to force something in the Kex for
>> OpenSSH; I can't find anything about Kex in any Cisco docs.
>>
>> I have created a special section of the 'ssh_config' file for those devices
>> with these options, and all seems to be working fine:
>>
>> Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
>> KexAlgorithms
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
>> ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>
>> Thank you for the help!
>>
>>
>>>>> Originally I had 'Cipher blowfish' set in '/etc/ssh/ssh_config', but
>>>>> removing that makes no difference.
>>>>
>>>>
>>>> That's because Cipher affects only Protocol 1 (which was some time in the
>>>> past the only version at least some Cisco devices spoke).
>>>>
>>>>> However, forcing '-c 3des' does
>>>>> allow it to work (even though '3des' is supposed to be the default):
>>>>
>>>>
>>>> 3des is the default Cipher Protocol 1. Protocol 2 takes a list (Ciphers)
>>>> and its default is
>>>>
>>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>>>> aes128-gcm@openssh.com,aes256-gcm@openssh.com,
>>>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
>>>> aes256-cbc,arcfour
>>>>
>>>> the -c option overrides both.
>>>>
>>>> --
>>>> Darren Tucker (dtucker at zip.com.au)
>>>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
>>>> Good judgement comes with experience. Unfortunately, the experience
>>>> usually comes from bad judgement.
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev@mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
>> Mike
>> --
>> Mike Peterson Information Security Analyst -
>> Audit
>> E-mail: mikep@noc.utoronto.ca WWW:
>> http://www.noc.utoronto.ca/
>> Tel: 416-978-5230 Fax:
>> 416-978-6620
--
Mike Peterson Information Security Analyst - Audit
E-mail: mikep@noc.utoronto.ca WWW: http://www.noc.utoronto.ca/
Tel: 416-978-5230 Fax: 416-978-6620
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic