Discussion:
ssh from cisco to OpenBSD 6.2 error status 0
(too old to reply)
Marko Cupać
2017-12-25 10:13:41 UTC
Permalink
Raw Message
Hi,

I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD
6.2. No problem with 6.1.

Anyone else with this problem? Any idea how to solve it or where to
start digging?

Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
Peter N. M. Hansteen
2017-12-25 14:06:34 UTC
Permalink
Raw Message
Post by Marko Cupać
Hi,
I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD
6.2. No problem with 6.1.
Anyone else with this problem? Any idea how to solve it or where to
start digging?
I'd start by looking for messages in /var/log/authlog on the OpenBSD
machine, and if possible running with ssh -v or -vv (I forget how many
you can usefully put in, or if the Cisco boxes even use the same
options) to get more detail on what happens.

My hunch is that you will be looking at resolving a gap in ciphers
offered as available at either end. Newer ssh versions have
incrementally dropped or disabled by default the unsafe ones, but
increasing the message verbosity will point you in the right direction.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Marko Cupać
2017-12-28 10:45:06 UTC
Permalink
Raw Message
On Mon, 25 Dec 2017 15:06:34 +0100
Post by Peter N. M. Hansteen
Post by Marko Cupać
Hi,
I noticed I can't ssh from cisco router running IOS 15.X to OpenBSD
6.2. No problem with 6.1.
Anyone else with this problem? Any idea how to solve it or where to
start digging?
I'd start by looking for messages in /var/log/authlog on the OpenBSD
machine, and if possible running with ssh -v or -vv (I forget how many
you can usefully put in, or if the Cisco boxes even use the same
options) to get more detail on what happens.
My hunch is that you will be looking at resolving a gap in ciphers
offered as available at either end. Newer ssh versions have
incrementally dropped or disabled by default the unsafe ones, but
increasing the message verbosity will point you in the right
direction.
Hi,

thanks for pointing me to auth.log, I never have problems with ssh, so
I don't have the habit of checking auth.log - I was looking at messages
and daemon logs.

I saw this in auth.log:
Protocol major versions differ for 192.168.223.1 port 45187:
SSH-2.0-OpenSSH_7.6 vs. SSH-1.99-Cisco-1.25

I started passing different cipher options to ssh client on cisco, and
finally managed to connect to OpenBSD 6.2 with:

ssh -v 2 -c aes256-ctr -m hmac-sha1-160 IP.ADD.RE.SS

Regards,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
Darren Tucker
2017-12-29 02:03:48 UTC
Permalink
Raw Message
On 28 December 2017 at 21:45, Marko Cupać <***@mimar.rs> wrote:
[...]
Post by Marko Cupać
SSH-2.0-OpenSSH_7.6 vs. SSH-1.99-Cisco-1.25
That's a bug in the Cisco implementation. RFC4253 section 4.2 says the
protocol version MUST be 2.0. "5.1 defines "1.99" as a backward
compatibility alias for servers that speak both 1.5 and 2.0 protocols, but
it is not specified for a client. sshd used to accept it but it probably
shouldn't have (see https://bugzilla.mindrot.org/show_bug.cgi?id=2810).

I started passing different cipher options to ssh client on cisco, and
Post by Marko Cupać
ssh -v 2 -c aes256-ctr -m hmac-sha1-160 IP.ADD.RE.SS
On Unix systems you can put the equivalent Ciphers and MACs directives into
~/.ssh/config under a Host for that device to save you having to remember
it. I don't know if your Cisco has any equivalent.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Loading...