Cisco 3750G – Fixing SSH Diffie Hellman Group 1 SHA1 Error

authenticationciscocisco-3750cisco-catalystssh

I recently implemented SSH configuration on my 3750G switch stack.

I have

-set the domain name
-generated the rsa key using 2048 bits
-ensured that the vty lines are set to transport input ssh

Now I am getting an error from multiple telnet/ssh clients saying more or less the following.

enter image description here

I have already tried zeroizing the RSA key and generating a new 2048 bit key, but the same issue still persists.

I dont seem to have an issue with other switch stacks at other locations (although those are 3750X's not 3750G's). Is this a known issue with this particular IOS or model?

I am currently running the following:

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
     1 52    WS-C3750G-48TS     12.2(55)SE12          C3750-IPBASEK9-M
*    2 52    WS-C3750G-48PS     12.2(55)SE12          C3750-IPBASEK9-M
     3 52    WS-C3750G-48PS     12.2(55)SE12          C3750-IPBASEK9-M
     4 52    WS-C3750G-48PS     12.2(55)SE12          C3750-IPBASEK9-M

Best Answer

Your SSH client is saying "we can't agree on the cipher: server wants X but I'm configured not to speak X". This is a completely general SSH problem, not specifically related to this model of switch, which is that the SSH clients are regularly changed, usually to disallow older, weaker, ciphers. This isn't about key length, it's about cipher algorithms.

Your choices include:

  • Upgrade the switch software (believed not possible in this instance)
  • Upgrade the switch hardware so it has more recent software (costs money and time)
  • Force the client to use something the server will accept (might be risky, depending on your security situation, but this is usually the best immediate solution while you decide what to do in the longer term)
  • Make the server accept telnet or something without crypto issues (almost certainly risky but depends on your security situation)
  • Get physical access and use the console

Example with a router running old software:

 $ ssh 192.168.17.1
 Unable to negotiate with 192.168.17.1 port 22: no matching cipher found.
 Their offer:  aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
 $ ssh -c aes128-cbc 192.168.17.1
 Password:

OpenSSH gives advice on this issue here: https://www.openssh.com/legacy.html

Another possibility might be to add some kind of external SSH-to-serial unit, though some will regard this as the worst of all worlds, but it might give good ciphers across SSH.

Related Topic