Securecrt 6 7 X64 License Keyl
Stephanie Dejoode
So I have this 3750 stack switch which uses telnet to login to and today I wanted to change it to use ssh, but I can't login.
It seems that the switch doesn't send matching ciphers though the ssh config on both switches are identical. @BudMan and @sc302 any ideas? I am out of clue to be honest, and don't know what to do next.
What IOS are you switches running? New versions of openssh are locked down to not accept OLD stuff... You will have to change your client to allow for old ciphers and hmac.. Cisco is a bit dated on keeping up with ciphers.. Run your client in -vvv when you connect to see the full list of what was offered and what was tried, etc.
I guess I figured it out, it works when I do (below command) and obviously I don't want this workaround. Is it so that new version use aes256-ctr instead of aes256-crc because it's more "safe" and can reach higher speed.
1. Edit your local .ssh/config file by removing the #'s in front of the lines of the offered cipher (as budman said)
2. Add specific host configs within your .ssh/config file to specify which cipher you want to use for which host (basically your -c without you having to remember to do it each time)-
It depends on your work environment I guess. I, personally don't have the time available to me to do 2 and 4 (despite them being the better options and starting this way) and with a sizeable estate of varying switch models and versions, opted for 3 which hasn't failed me so far.
Personally, I'm trying to push to a more unified IOS version across the estate with a git-style workflow for configuration changes... But, as it generally takes 3 weeks for me to get 5 minutes of damn downtime to replace a cable half of the time, I'll continue dreaming!
1. I had already tried that but still couldn't ssh to the device.
2. Add specific host configs within your .ssh/config file to specify which cipher you want to use for which host (basically your -c without you having to remember to do it each time)-
Same here, we have almost unified IOS version on all the swtiches and routers, but on this one it's not possible as of now, though I am going to upgrade and that only might solve the problem.
But you should really move to the current ios, and use of the current ciphers and algo's - old stuff is retired for a reason.. Since its not secure.. You should probe be using a chacha if your switches supported it. But like I said cisco is always behind!!!
You can do the same with openssh client... What versions of clients are you running openssh is 7.8p1 I believe and securecrt 8.5 released a while ago.. You need to make sure your using current clients so that they support current best use ciphers and algo's
To your config file.. Again you need to just make sure your ssh client and server are using the same cipher, algo, mac -- their lists of offered and accept have to be able to agree. Then you can just ssh in without having to do anything on cmd line.
I believe my client and my securecrt are up to date. To be honest, I don't have the energy to troubleshoot this anymore (I was kind of sure it is because that my Cisco switch using old algo and ciphers since it haven't been updated in 3 years, 39 weeks, 3 days, 15 hours, 35 minutes) I will update the switch in couple of weeks and hopefully that will solve the problem. I worked at customer site, the 6500 and 4500 haven't been rebooted in almot 10 years.
b1e95dc632