SSH Cisco IOS – Configure SSH Cipher on Cisco IOS 12.2(55)SE7

cisco-ios-12ssh

Today a customer contacted me because he has upgraded his MacBook to MacOS X Sierra and since then, when trying to access a switch via SSH he got the message

Unable to negotiate with 10.XX.XX.XX port 22: no matching key exchange
method found. Their offer: diffie-hellman-group1-sha1

The switch is a Cisco 2960S running IOS 12.2(55)SE7 (C2960S-UNIVERSALK9-M)

I looked at the command reference guide for this version, but was unable to find any command to configure SSH ciphers. (we can only configure SSH version 1 / 2 or both)

Is it possible with this version?

P.S. Yes I'm aware that he should use RSA key authentication, and upgrade the IOS version, I recommended it but this will need some testing and change management.

Best Answer

As stated by @Teun Vink in comment, no way to do so but the given workaround using

ssh -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 $HOST

do the trick.

Related Solutions

Netflow differences between IOS 12.2 and 15.1

There should not be obvious difference if you don't have any cfg changed.

Unless you want to use Netflow v9 or IPFIX in new template format in new IOS versions.

Switch – Cisco IOS built-in SSH client default version

ssh version 2 for IOS 12.1(19)E and later

SSH from one switch to another... for reasons I can't explain, Cisco calls SSHv2 SSH-1.99...

SRV1#debug ip ssh client
SSH Client debugging is on
SRV1#ssh 10.19.1.2

Password:
Jun  4 13:45:28.747 CDT: SSH1: sent protocol version id SSH-1.99-Cisco-1.25   <-----
Jun  4 13:45:28.787 CDT: SSH CLIENT0: protocol version id is - SSH-1.99-Cisco-1.25
Jun  4 13:45:28.787 CDT: SSH CLIENT0: sent protocol version id SSH-1.99-Cisco-1.25

Also from linux when connecting to IOS...

[mpenning@something ~]$ ssh -v dst1
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to dst1 [10.19.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/mpenning/.ssh/identity type -1
debug1: identity file /home/mpenning/.ssh/id_rsa type 1
debug1: identity file /home/mpenning/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version Cisco-1.25     <-------
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0                         <--------
debug1: Local version string SSH-2.0-OpenSSH_5.3

Best Answer

Related Solutions

Netflow differences between IOS 12.2 and 15.1

Switch – Cisco IOS built-in SSH client default version

Related Topic