ssh trouble

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh trouble

Glenn English-5
4 boxes on the same network; an RPi3 running Raspian Stretch, a laptop
and a desktop running Buster, and a Cisco router running IOS 12.4
(note upper case 'I' :-).

I have an expect script to get into the router. It's the same on all the hosts.

The problem is that the RPi and the desktop get

"Unable to negotiate with 216.17.134.201 port 22: no matching key
exchange method found. Their offer: diffie-hellman-group1-sha1"

from the router -- diffie-hellman-group1-sha1 is listed as one of the
encryption types available from my SSH programs.

And from expect:

send: spawn id exp4 not open
    while executing
"send "<passwd>\r""
    (file "./lir.sh" line 14)

On the laptop it works fine -- that says to me that there's nothing
wrong with the router. It worked on the others a couple days ago.

I've tried to get into the router by entering commands by hand, and I
get the same response.

I purged everything that looked like it had anything to do with ssh
(except some that were major dependencies for other things) from the
desktop and reinstalled and configured the packages. Also removed the
.debs from apt/archives. Exactly the same response.

And I SSH around between the hosts with no trouble. That says there's
nothing wrong with SSH. But something is, somewhere.

Anybody run into anything like this before?

--
Glenn English

Reply | Threaded
Open this post in threaded view
|

Re: ssh trouble

Marc Auslander-4
Glenn English wrote:

> 4 boxes on the same network; an RPi3 running Raspian Stretch, a laptop
> and a desktop running Buster, and a Cisco router running IOS 12.4
> (note upper case 'I' :-).
>
> I have an expect script to get into the router. It's the same on all the hosts.
>
> The problem is that the RPi and the desktop get
>
> "Unable to negotiate with 216.17.134.201 port 22: no matching key
> exchange method found. Their offer: diffie-hellman-group1-sha1"
>
> from the router -- diffie-hellman-group1-sha1 is listed as one of the
> encryption types available from my SSH programs.
>
> And from expect:
>
> send: spawn id exp4 not open
>      while executing
> "send "<passwd>\r""
>      (file "./lir.sh" line 14)
>
> On the laptop it works fine -- that says to me that there's nothing
> wrong with the router. It worked on the others a couple days ago.
>
> I've tried to get into the router by entering commands by hand, and I
> get the same response.
>
> I purged everything that looked like it had anything to do with ssh
> (except some that were major dependencies for other things) from the
> desktop and reinstalled and configured the packages. Also removed the
> .debs from apt/archives. Exactly the same response.
>
> And I SSH around between the hosts with no trouble. That says there's
> nothing wrong with SSH. But something is, somewhere.
>
> Anybody run into anything like this before?
>  
Newer versions of ssh deprecate diffie-hellman-group1-sha1
Putting KexAlgorithms +diffie-hellman-group1-sha1 in config for the host
works for me.  There is also a way to do it on the ssh command line.

Reply | Threaded
Open this post in threaded view
|

Re: ssh trouble

Glenn English-5
On Tue, Dec 18, 2018 at 9:18 PM Marc Auslander <[hidden email]> wrote:

> Newer versions of ssh deprecate diffie-hellman-group1-sha1
> Putting KexAlgorithms +diffie-hellman-group1-sha1 in config for the host
> works for me.  There is also a way to do it on the ssh command line.

I'll look into this, but one Buster install works, and another and a
Stretch don't.

Hmmm. When I search the web to find out what KexAlgorithms means, I
find I've been there before (the 76 year old memory is less than
optimal). Looking more promising. Thanks, Marc.

--
Glenn English

Reply | Threaded
Open this post in threaded view
|

Re: ssh trouble

Greg Wooledge
On Tue, Dec 18, 2018 at 10:00:12PM +0000, Glenn English wrote:
> Hmmm. When I search the web to find out what KexAlgorithms means, I
> find I've been there before (the 76 year old memory is less than
> optimal). Looking more promising. Thanks, Marc.

Key Exchange Algorithms.  Should be documented in ssh_config(5) and
sshd_config(5).

The important point is that the client will have a list of these things,
and the server will have a list of these things, and there must be at
least *one* in common between the two lists, or else communication will
not occur.

Reply | Threaded
Open this post in threaded view
|

Re: ssh trouble [Solved]

Glenn English-5
Adding the diffie-hellman line to the config worked, but then the
router complained that there wasn't a matching cipher.

I suspected that if I fixed that, the router'd complain about
something else, so I gave up and fixed things by copying the working
/etc/ssh config dir from the laptop to the other hosts. I compared the
working config with the bent one and didn't see much of interest. I
really have no idea what I did to break things.

But it's going. Thanks all.

--
Glenn English

Reply | Threaded
Open this post in threaded view
|

Re: ssh trouble

Dan Purgert
In reply to this post by Greg Wooledge
Greg Wooledge wrote:

> On Tue, Dec 18, 2018 at 10:00:12PM +0000, Glenn English wrote:
>> Hmmm. When I search the web to find out what KexAlgorithms means, I
>> find I've been there before (the 76 year old memory is less than
>> optimal). Looking more promising. Thanks, Marc.
>
> Key Exchange Algorithms.  Should be documented in ssh_config(5) and
> sshd_config(5).
>
> The important point is that the client will have a list of these things,
> and the server will have a list of these things, and there must be at
> least *one* in common between the two lists, or else communication will
> not occur.

And further to that, there have to be an agreeable modulo size in
certain cases as well (I think for the "Diffie-Hellman" based
algorithms).  Ran into THAT being a problem when ssh changed from
minimum 1024 to 2048 (apparently, some old box of mine was still running
with <2048-bit at the time).


--
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281