507404 – net-misc/openssh - ssh fails to connect to Cisco systems with diffie-hellman-group-exchange-sha1

Bug 507404 - net-misc/openssh - ssh fails to connect to Cisco systems with diffie-hellman-group-exchange-sha1

Summary: net-misc/openssh - ssh fails to connect to Cisco systems with diffie-hellman-...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-11 12:07 UTC by coyote
Modified:	2019-04-19 23:38 UTC (History)
CC List:	1 user (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1026430 https://bugzilla.redhat.com/show_bug.cgi?id=1053107
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description coyote 2014-04-11 12:07:03 UTC

$ ssh -v admin@cisco3
OpenSSH_6.6, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to cisco3 [172.16.16.3] port 22.
debug1: Connection established.
debug1: identity file /home/coyote/.ssh/id_rsa type -1
debug1: identity file /home/coyote/.ssh/id_rsa-cert type -1
debug1: identity file /home/coyote/.ssh/id_dsa type -1
debug1: identity file /home/coyote/.ssh/id_dsa-cert type -1
debug1: identity file /home/coyote/.ssh/id_ecdsa type -1
debug1: identity file /home/coyote/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/coyote/.ssh/id_ed25519 type -1
debug1: identity file /home/coyote/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6p1-hpn14v4
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 172.16.16.3


CISCO: ssh 2 only

seems like https://bugzilla.redhat.com/show_bug.cgi?id=1026430

with workaround, described in comment #2:

ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1 <destination>

all work.

Comment 1 Yarda 2019-04-19 23:38:05 UTC

Similar problem, but slightly different ending:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
debug2: ciphers stoc: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 520/1024
debug1: expecting SSH2_MSG_KEXDH_REPLY
Connection reset by 192.168.1.1 port 22

net-misc/openssh-7.9_p1-r4

Dropbear sshd v0.50 on the other end.

Workaround from the comment 0 works.

On Fedora 29 it's working nearly out of the box just the KexAlgorithms +diffie-hellman-group1-sha1 is needed. On gentoo all the options from the workaround have to be used.