cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
793
Views
5
Helpful
5
Replies

SSH on a 4500

mj11
Level 3
Level 3

Hi

I have the following problem with a 4500 and SSH. I am unable to connect to the switch, I have zeroed the keys and re-generated them. Here is a debug SSH from the switch is anyone able help with the problem..

17:43:35: SSH5: starting SSH control process

17:43:35: SSH5: sent protocol version id SSH-2.0-Cisco-1.25

17:43:35: SSH5: protocol version id is - SSH-2.0-SecureCRT_4.1.3 (buildT

17:43:35: SSH2 5: send: len 280 (includes padlen 4)

17:43:35: SSH2 5: SSH2_MSG_KEXINIT sent

17:43:35: SSH2 5: ssh_receive: 392 bytes received

17:43:35: SSH2 5: input: packet len 392

17:43:35: SSH2 5: partial packet 8, need 384, maclen 0

17:43:35: SSH2 5: input: padlen 7

17:43:35: SSH2 5: received packet type 20

17:43:35: SSH2 5: SSH2_MSG_KEXINIT received

17:43:35: SSH2: kex: client->server aes128-cbc hmac-md5 none

17:43:35: SSH2: kex: server->client aes128-cbc hmac-md5 none

17:43:35: SSH2 5: expecting SSH2_MSG_KEXDH_INIT

17:43:35: SSH2 5: ssh_receive: 144 bytes received

17:43:35: SSH2 5: input: packet len 144

17:43:35: SSH2 5: partial packet 8, need 136, maclen 0

17:43:35: SSH2 5: input: padlen 5

17:43:35: SSH2 5: received packet type 30

17:43:35: SSH2 5: SSH2_MSG_KEXDH_INIT received

17:43:35: SSH2 5: signature length 143

17:43:35: SSH2 5: send: len 448 (includes padlen 7)

17:43:35: SSH2: kex_derive_keys complete

17:43:35: SSH2 5: send: len 16 (includes padlen 10)

17:43:35: SSH2 5: newkeys: mode 1

17:43:35: SSH2 5: SSH2_MSG_NEWKEYS sent

17:43:35: SSH2 5: waiting for SSH2_MSG_NEWKEYS

17:43:35: SSH2 5: ssh_receive: 16 bytes received

17:43:35: SSH2 5: input: packet len 16

17:43:35: SSH2 5: partial packet 8, need 8, maclen 0

17:43:35: SSH2 5: input: padlen 10

17:43:35: SSH2 5: newkeys: mode 0

17:43:35: SSH2 5: received packet type 21

17:43:35: SSH2 5: SSH2_MSG_NEWKEYS received

17:43:36:SSH2 5: ssh_receive: 48 bytes received

17:43:36:SSH2 5: input: packet len 32

17:43:36:SSH2 5: partial packet 16, need 16, maclen 16

17:43:36:SSH2 5: MAC #3 ok

17:43:36:SSH2 5: input: padlen 10

17:43:36:SSH2 5: received packet type 5

17:43:36:SSH2 5: send: len 32 (includes padlen 10)

17:43:36:SSH2 5: done calc MAC out #3

17:43:36:SSH2 5: send: len 256 (includes padlen 19)

17:43:36:SSH2 5: done calc MAC out #4

17:43:36:SSH2 5: ssh_receive: 64 bytes received

17:43:36:SSH2 5: input: packet len 48

17:43:36:SSH2 5: partial packet 16, need 32, maclen 16

17:43:36:SSH2 5: MAC #4 ok

17:43:36:SSH2 5: input: padlen 4

17:43:36:SSH2 5: received packet type 50

17:43:36:SSH2 5: send: len 32 (includes padlen 13)

17:43:36:SSH2 5: done calc MAC out #5

17:43:44:SSH2 5: ssh_receive: 112 bytes received

17:43:44:SSH2 5: input: packet len 96

17:43:44:SSH2 5: partial packet 16, need 80, maclen 16

17:43:44:SSH2 5: MAC #5 ok

17:43:44:SSH2 5: input: padlen 30

17:43:44:SSH2 5: received packet type 50

17:43:44:SSH2 5: invalid userid marlboro

17:43:44:SSH2 5: send: len 32 (includes padlen 13)

Many Thanks

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Can you post the result of "show ip ssh"? Also what are your steps to configuring SSH?

Hi

Thanks for the response, here is the output.

#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

Snipet of the config..

username admin password 0

no aaa new-model

ip ssh version 2

line vty 0 4

exec-timeout 60 0

password

login

transport input telnet ssh

To set it up I have set the hostname then domain then generated the rsa keys size 1024, also set it to SSH v2. I have telnet on the transport due to SSH not working.

Many Thanks MJ

MJ-

I labbed this up just to make sure. You have to enable AAA because you need to use a username and password. The VTY lines do not know you want to use a username/passwd combination and you can not login. To fix, try entering the following commands:

Router(config)# aaa new-model

Router(config)# aaa authentication login default local

Router(config)# line vty 0 4

Router(config-line)# login authentication default

The AAA new-model enables AAA. The next line tells the router that authentication group name default should use the local database for username/passwd authentication. Under the VTY lines, the login authentication default tells the VTYs to use the AAA group of default for authentication. Let us know how it goes.

HTH and please rate.

Thanks for the post, I will try and let you know.

Regards MJ

Thanks this is now working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: