NeDi Software Specific > Discovery

latest ssh and "diffie-hellman-group1-sha1" cypher no more accepted

(1/2) > >>

pc_sg:
I've just update OS version on one of my NeDi server, running Debian, going to Debian 9.
In the meanwhile I did a brand new installation of latest "community" Nedi, i.e. 1.5.225.
But discovered that NeDi was no mora able to CLI access my switches because access is only by ssh, telnet was disabled for security reasons.
Doing a test using SSH from server console I saw this response: "no matching key exchange method found. Their offer: diffie-hellman-group1-sha1"
Looking around saw that this cyphering is more or less deprecated ad disabled by default in OpenSSH.
A common workaround suggested is to add "-oKexAlgorithms=+diffie-hellman-group1-sha1" to ssh command line.
There is no option in nedi.conf to add this, so I changed line 639 in file /var/nedi/inc/libcli.pm from
"my $known = "-o 'StrictHostKeyChecking no'";"
to
"my $known = "-o 'StrictHostKeyChecking no' -oKexAlgorithms=+diffie-hellman-group1-sha1";"


Now NeDi can access again my (Cisco) device by CLI.


Maybe not the best solution...


Any advice is welcome!

ascii:
i had the same issues.

i added the diffie-hellman-group1-sha1 to my /etc/ssh/ssh_config config

michael:
Sorry this is an old topic... On nedi 1.9 this fix doesn't seem to work anymore (it worked on 1.8). Anyone has the issue ? I had to go back to telnet for specific switches
My file /var/nedi/inc/libcli.pm has the fix, but when nedi runs the discovery, it doesn't seem to take the change into account

Prepare (CLI)  ----------------------------------------------------------------  Thu Sep  3 10:01:22 2020
SSH :xxx@IP:22 Tout:2s OS:IOS EN:[\w+().-]+#\s?$
PTY :Forking ssh  -l xxx IP
CLI0:no matching key exchange
EVNT:MOD=B/3 L=150 CL=cfge TGT=SW-xxx_02 MSG=Config backup error: no matching key exchange

Hannu Liljemark:
Michael, did you also try the ssh_config mod suggested in this thread?

kierberger:
E. g. you could add the following two lines for each Switch to the .ssh file on the Debian-Server (substitute the IP):


Host A.B.C.D
        KexAlgorithms +diffie-hellman-group1-sha1


regards,
Josef

Navigation

[0] Message Index

[#] Next page

Go to full version