10-29-2007 05:33 AM - edited 03-09-2019 07:08 PM
Hi
I have the following problem with a 4500 and SSH. I am unable to connect to the switch, I have zeroed the keys and re-generated them. Here is a debug SSH from the switch is anyone able help with the problem..
17:43:35: SSH5: starting SSH control process
17:43:35: SSH5: sent protocol version id SSH-2.0-Cisco-1.25
17:43:35: SSH5: protocol version id is - SSH-2.0-SecureCRT_4.1.3 (buildT
17:43:35: SSH2 5: send: len 280 (includes padlen 4)
17:43:35: SSH2 5: SSH2_MSG_KEXINIT sent
17:43:35: SSH2 5: ssh_receive: 392 bytes received
17:43:35: SSH2 5: input: packet len 392
17:43:35: SSH2 5: partial packet 8, need 384, maclen 0
17:43:35: SSH2 5: input: padlen 7
17:43:35: SSH2 5: received packet type 20
17:43:35: SSH2 5: SSH2_MSG_KEXINIT received
17:43:35: SSH2: kex: client->server aes128-cbc hmac-md5 none
17:43:35: SSH2: kex: server->client aes128-cbc hmac-md5 none
17:43:35: SSH2 5: expecting SSH2_MSG_KEXDH_INIT
17:43:35: SSH2 5: ssh_receive: 144 bytes received
17:43:35: SSH2 5: input: packet len 144
17:43:35: SSH2 5: partial packet 8, need 136, maclen 0
17:43:35: SSH2 5: input: padlen 5
17:43:35: SSH2 5: received packet type 30
17:43:35: SSH2 5: SSH2_MSG_KEXDH_INIT received
17:43:35: SSH2 5: signature length 143
17:43:35: SSH2 5: send: len 448 (includes padlen 7)
17:43:35: SSH2: kex_derive_keys complete
17:43:35: SSH2 5: send: len 16 (includes padlen 10)
17:43:35: SSH2 5: newkeys: mode 1
17:43:35: SSH2 5: SSH2_MSG_NEWKEYS sent
17:43:35: SSH2 5: waiting for SSH2_MSG_NEWKEYS
17:43:35: SSH2 5: ssh_receive: 16 bytes received
17:43:35: SSH2 5: input: packet len 16
17:43:35: SSH2 5: partial packet 8, need 8, maclen 0
17:43:35: SSH2 5: input: padlen 10
17:43:35: SSH2 5: newkeys: mode 0
17:43:35: SSH2 5: received packet type 21
17:43:35: SSH2 5: SSH2_MSG_NEWKEYS received
17:43:36:SSH2 5: ssh_receive: 48 bytes received
17:43:36:SSH2 5: input: packet len 32
17:43:36:SSH2 5: partial packet 16, need 16, maclen 16
17:43:36:SSH2 5: MAC #3 ok
17:43:36:SSH2 5: input: padlen 10
17:43:36:SSH2 5: received packet type 5
17:43:36:SSH2 5: send: len 32 (includes padlen 10)
17:43:36:SSH2 5: done calc MAC out #3
17:43:36:SSH2 5: send: len 256 (includes padlen 19)
17:43:36:SSH2 5: done calc MAC out #4
17:43:36:SSH2 5: ssh_receive: 64 bytes received
17:43:36:SSH2 5: input: packet len 48
17:43:36:SSH2 5: partial packet 16, need 32, maclen 16
17:43:36:SSH2 5: MAC #4 ok
17:43:36:SSH2 5: input: padlen 4
17:43:36:SSH2 5: received packet type 50
17:43:36:SSH2 5: send: len 32 (includes padlen 13)
17:43:36:SSH2 5: done calc MAC out #5
17:43:44:SSH2 5: ssh_receive: 112 bytes received
17:43:44:SSH2 5: input: packet len 96
17:43:44:SSH2 5: partial packet 16, need 80, maclen 16
17:43:44:SSH2 5: MAC #5 ok
17:43:44:SSH2 5: input: padlen 30
17:43:44:SSH2 5: received packet type 50
17:43:44:SSH2 5: invalid userid marlboro
17:43:44:SSH2 5: send: len 32 (includes padlen 13)
Many Thanks
10-30-2007 07:27 AM
Can you post the result of "show ip ssh"? Also what are your steps to configuring SSH?
10-31-2007 03:06 AM
Hi
Thanks for the response, here is the output.
#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Snipet of the config..
username admin password 0
no aaa new-model
ip ssh version 2
line vty 0 4
exec-timeout 60 0
password
login
transport input telnet ssh
To set it up I have set the hostname then domain then generated the rsa keys size 1024, also set it to SSH v2. I have telnet on the transport due to SSH not working.
Many Thanks MJ
10-31-2007 06:48 AM
MJ-
I labbed this up just to make sure. You have to enable AAA because you need to use a username and password. The VTY lines do not know you want to use a username/passwd combination and you can not login. To fix, try entering the following commands:
Router(config)# aaa new-model
Router(config)# aaa authentication login default local
Router(config)# line vty 0 4
Router(config-line)# login authentication default
The AAA new-model enables AAA. The next line tells the router that authentication group name default should use the local database for username/passwd authentication. Under the VTY lines, the login authentication default tells the VTYs to use the AAA group of default for authentication. Let us know how it goes.
HTH and please rate.
10-31-2007 10:09 AM
Thanks for the post, I will try and let you know.
Regards MJ
11-02-2007 02:05 AM
Thanks this is now working.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: