Howard Jones
2015-05-15 16:38:38 UTC
After a lot of fiddling around, I found that my previous RANCID system,
running on CentOS 5 was just not able to reliably deal with ExtremeXOS
switches, apparently due to an expect issue. So I've just finished
moving to a new (RANCID 3.2, CentOS 7) system. I'd forgotten how many
little patches I'd added over the last couple of years, so that was a
fun process! My Extreme switches are backing up correctly, though.
Anyway, now I find that I can't connect to a few Cisco ASRs with SSH
from that new box (works fine with putty). They just drop connection
with this slightly strange message in the logs:
May 15 16:57:30.399 BST: SSH2 1: Client DH key range mismatch with max
built-in DH key on server!
May 15 16:57:30.399 BST: %SSH-5-SSH2_SESSION: SSH2 Session request from
192.168.0.27 (tty = 1) using crypto cipher '', hmac '' Failed
May 15 16:57:30.399 BST: %SSH-5-SSH2_CLOSE: SSH2 Session from
192.168.0.27 (tty = 1) for user '' using crypto cipher '', hmac '' closed
On the Rancid side, I actually copied all the SSH keys (host and rancid
user) across from the old machine, to avoid any 'key changed' type
issues. Running with ssh -v, the last messages are:
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
This seems to be to do with a new lower key size restriction in newer
openssh version - does anyone know a way around it? Ideally without
regenerating the keys on the routers? In fact, I just tried regenerating
a 2048-bit key on one of the affected routers, and it makes no
difference anyway.
Thanks in advance,
Howard
running on CentOS 5 was just not able to reliably deal with ExtremeXOS
switches, apparently due to an expect issue. So I've just finished
moving to a new (RANCID 3.2, CentOS 7) system. I'd forgotten how many
little patches I'd added over the last couple of years, so that was a
fun process! My Extreme switches are backing up correctly, though.
Anyway, now I find that I can't connect to a few Cisco ASRs with SSH
from that new box (works fine with putty). They just drop connection
with this slightly strange message in the logs:
May 15 16:57:30.399 BST: SSH2 1: Client DH key range mismatch with max
built-in DH key on server!
May 15 16:57:30.399 BST: %SSH-5-SSH2_SESSION: SSH2 Session request from
192.168.0.27 (tty = 1) using crypto cipher '', hmac '' Failed
May 15 16:57:30.399 BST: %SSH-5-SSH2_CLOSE: SSH2 Session from
192.168.0.27 (tty = 1) for user '' using crypto cipher '', hmac '' closed
On the Rancid side, I actually copied all the SSH keys (host and rancid
user) across from the old machine, to avoid any 'key changed' type
issues. Running with ssh -v, the last messages are:
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
This seems to be to do with a new lower key size restriction in newer
openssh version - does anyone know a way around it? Ideally without
regenerating the keys on the routers? In fact, I just tried regenerating
a 2048-bit key on one of the affected routers, and it makes no
difference anyway.
Thanks in advance,
Howard