Stack Exchange Network
Stack Exchange network consists of 176 Q&A communities including
Stack Overflow
, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
Ask Ubuntu is a question and answer site for Ubuntu users and developers. It only takes a minute to sign up.
Sign up to join this community
I'm not sure if this problem caused by Lubuntu or Cisco Router side.
Lubuntu = 192.168.1.100
Cisco Router = 192.168.1.1
SSH from Lubuntu to Cisco Router
user@linux:~$ ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
user@linux:~$
user@linux:~$ ssh [email protected]
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$
This is on Cisco Router side
*Mar 1 01:41:19.631: SSH2 0: no matching cipher found: client [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
SSH Verbose
user@linux:~$ ssh 192.168.1.1 -l admin -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Authenticating to 192.168.1.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@linux:~$
More Cisco Log
R1(config)#ip ssh logging events
R1(config)#
R1(config)#
*Mar 1 01:56:21.723: SSH2 0: no matching cipher found: client [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
R1(config)#
*Mar 1 01:56:21.723: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.1.100 (tty = 0) using crypto cipher '', hmac '' Failed
*Mar 1 01:56:21.723: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.1.100 (tty = 0) for user '' using crypto cipher '', hmac '' closed
R1(config)#
What is the problem here and how to fix it?
Update 1
I've tried these as suggested here but it didn't solve the problem
user@linux:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
user@linux:~$
user@linux:~$ ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
user@linux:~$
–
The problem is the Cisco router. Ubuntu's ssh
client proposes a default set of modern and secure encryptions and the router proposes another set (with legacy algorithms) and they have none in common.
You can force ssh
to add the weak legacy algorithms to its list of proposals:
From the command line:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.1
or adding the option to ~/.ssh/config
Host 192.168.1.1
KexAlgorithms +diffie-hellman-group1-sha1
As explained here (you have other solutions there), that might be not be enough and you might have to enable ssh-dss
too.
ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.1
or adding the option to ~/.ssh/config
Host 192.168.1.1
HostKeyAlgorithms +ssh-dss
–
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.