cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12071
Views
15
Helpful
8
Replies

SSH issue

yjdabear
VIP Alumni
VIP Alumni

This is after deleting the previously stored key from

/home/myid/.ssh/known_hosts.

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug2: no key of type 0 for host router1

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts2

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts2

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug2: no key of type 2 for host router1

The authenticity of host 'router1 (10.1.5.9)' can't be established.

RSA key fingerprint is 22:e3:6d:c1:12:be:0e:63:4c:77:0c:b5:67:74:c5:ae.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'router1,10.1.5.9' (RSA) to the list of known hosts.

debug2: bits set: 507/1024

RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

debug1: ssh_rsa_verify: signature incorrect

key_verify failed for server_host_key

debug1: Calling cleanup 0x2d2e4(0x0)

There's no hardware change on the Cisco device.

"show cryp key mypubkey rsa" looks fine.

Never mind, turns out no SSH server is running on the router.

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

Just FYI, when troubleshooting SSH, the first thing I typically do is telnet to TCP port 22 on the target device. This allows me to confirm, first, that SSH is running, and second what protocol version is being used:

1.5 : The device only supports SSHv1

1.99 : The device supports both SSHv1 and SSHv2 (RME will use SSHv2 to communicate with the device)

2.0 : The device only supports SSHv2

In this case, it's answering on port 22, but "show ssh" indicates there's no SSHv1 or v2 server running.

%No SSHv2 server connections running.

%No SSHv1 server connections running.

The issue : RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
key_verify failed for server_host_key

is related to the cisco router. The RSA key are corrupted and you cannot connect on the router with a ssh client in SSH V2

To fix it

  • Enable telnet access on the router

    enable

    conf t
    line vty 0 4
    logging synchronous
    length 0
    transport input telnet ssh
    line vty 5 15
    logging synchronous
    transport input telnet ssh

  • Suppress the RSA key present on the router by the telnet access

    enable
    conf t
    crypto key zeroize

  • Add a domain name on the router

    enable
    conf t
    ip domain-name XXX.YYY.com

  • Create a new key RSA pair 

    enable
    conf t
    crypto key rsa modulus 2048

  • Reboot the router

since a router, don't forget a "wr mem"

I know this is an old post but wanted to add the solution that worked for me.

I attempted @Ipsnetwork Fix, to no avail.

The Fix:

conf t

crypto key generate rsa mod 2048 label <label_name>

ip ssh rsa keypair-name <label_name>

Can you send the output of the following commands:

sh ver | in image

sh ip ssh

(you can skip the RSA key hash area of the "sh ip ssh" output, since you shouldn't share that online.

@normanksmith  I had a bit different error but this solution fixed the issue.

This label technique fixed for us too.

Thanks Norman.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: