Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5754: Unable to login to Cisco devices after switching to Centrify OpenSSH

12 April,16 at 11:46 AM

Applies to OpenSSH (stock and Centrify-enabled) version 6.6


Problem:

When trying to SSH into a Cisco device using OpenSSH 6.6, the connection is closed. Why?


Cause:

The reason for this is that the Cisco device supports a maximum key length of 2048, while the (openssh-6.6) client is requesting a key length larger than this.
This can be observed in 'ssh -vvv' output as follows:
 
250 debug1: kex: client->server aes128-cbc hmac-sha1 none
>251 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
252 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
253 Connection closed by x.x.x.x


This issue occurs for both stock and Centrify-enabled OpenSSH. It is a known Cisco bug:
https://tools.cisco.com/bugsearch/bug/CSCuo76464 (link is provided as a courtesy)


Workaround:

On the client side, within your 'ssh_config', re-order the KexAlgorithms as such:
 
KexAlgorithms diffie-hellman-group14-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

You can also simply remove the long ones from the list, at the risk of lighter security.


Resolution:

This is a Cisco bug and will need to be resolved on their end.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.