SSH Login Failing

Unanswered Question
Jul 14th, 2009

When attempting to ssh into the router the connection is never established..please see the following debug output:

5494365: Jul 14 18:44:18.769 UTC: SSH0: starting SSH control process

5494366: Jul 14 18:44:18.769 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

5494367: Jul 14 18:44:18.769 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT

5494368: Jul 14 18:44:18.769 UTC: SSH2 0: send: len 280 (includes padlen 4)

5494369: Jul 14 18:44:18.769 UTC: SSH2 0: SSH2_MSG_KEXINIT sent

5494370: Jul 14 18:44:18.893 UTC: SSH2 0: ssh_receive: 464 bytes received

5494371: Jul 14 18:44:18.893 UTC: SSH2 0: input: packet len 464

5494372: Jul 14 18:44:18.893 UTC: SSH2 0: partial packet 8, need 456, maclen 0

5494373: Jul 14 18:44:18.893 UTC: SSH2 0: input: padlen 9

5494374: Jul 14 18:44:18.893 UTC: SSH2 0: received packet type 20

5494375: Jul 14 18:44:18.893 UTC: SSH2 0: SSH2_MSG_KEXINIT received

5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

5494378: Jul 14 18:44:18.941 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

5494379: Jul 14 18:44:18.941 UTC: SSH2 0: ssh_receive: 144 bytes received

5494380: Jul 14 18:44:18.941 UTC: SSH2 0: input: packet len 144

5494381: Jul 14 18:44:18.941 UTC: SSH2 0: partial packet 8, need 136, maclen 0

5494382: Jul 14 18:44:18.941 UTC: SSH2 0: input: padlen 5

5494383: Jul 14 18:44:18.941 UTC: SSH2 0: received packet type 30

5494384: Jul 14 18:44:18.945 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received

5494385: Jul 14 18:44:19.005 UTC: SSH2 0: RSA_sign: private key not found

5494386: Jul 14 18:44:19.005 UTC: SSH2 0: signature creation failed, status -1

5494387: Jul 14 18:44:19.105 UTC: SSH0: Session disconnected - error 0x00

5494388: Jul 14 18:44:24.361 UTC: SSH0: starting SSH control process

5494389: Jul 14 18:44:24.361 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

5494390: Jul 14 18:44:24.361 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT

5494391: Jul 14 18:44:24.361 UTC: SSH2 0: send: len 280 (includes padlen 4)

5494392: Jul 14 18:44:24.365 UTC: SSH2 0: SSH2_MSG_KEXINIT sent

5494393: Jul 14 18:44:24.561 UTC: SSH2 0: ssh_receive: 464 bytes received

5494394: Jul 14 18:44:24.561 UTC: SSH2 0: input: packet len 464

5494395: Jul 14 18:44:24.561 UTC: SSH2 0: partial packet 8, need 456, maclen 0

5494396: Jul 14 18:44:24.561 UTC: SSH2 0: input: padlen 9

5494397: Jul 14 18:44:24.561 UTC: SSH2 0: received packet type 20

5494398: Jul 14 18:44:24.561 UTC: SSH2 0: SSH2_MSG_KEXINIT received

5494399: Jul 14 18:44:24.565 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494400: Jul 14 18:44:24.565 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

5494401: Jul 14 18:44:24.613 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

5494402: Jul 14 18:44:24.613 UTC: SSH2 0: ssh_receive: 144 bytes received

5494403: Jul 14 18:44:24.613 UTC: SSH2 0: input: packet len 144

5494404: Jul 14 18:44:24.613 UTC: SSH2 0: partial packet 8, need 136, maclen 0

5494405: Jul 14 18:44:24.613 UTC: SSH2 0: input: padlen 6

5494406: Jul 14 18:44:24.613 UTC: SSH2 0: received packet type 30

5494407: Jul 14 18:44:24.613 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received

5494408: Jul 14 18:44:24.677 UTC: SSH2 0: RSA_sign: private key not found

5494409: Jul 14 18:44:24.677 UTC: SSH2 0: signature creation failed, status -1

5494410: Jul 14 18:44:24.777 UTC: SSH0: Session disconnected - error 0x07

Any ideas what this could be?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
bansal.ojasvi Tue, 07/14/2009 - 11:33

do you have private keys on your router/switch.

Try running

(config)#crypto key generate rsa

k.minarcin Tue, 07/14/2009 - 11:36

I did that...still same result. I can also do sh crypto key mypubkey rsa and it displays the keys.

bansal.ojasvi Tue, 07/14/2009 - 11:45

can you paste a part of your config related to crypto. Also check if you have a domain-name on the device.

k.minarcin Tue, 07/14/2009 - 11:52

Here are exceprts for the configuration:

aaa new-model

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login userauthen1 local

aaa authentication login acs-rad group radius local

aaa authentication ppp default local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization network groupauthor local

aaa authorization network groupauthor1 local

aaa accounting exec acct start-stop group tacacs+

aaa accounting exec acc-exec start-stop group tacacs+

!

aaa session-id common

!

ip ssh time-out 15

ip ssh authentication-retries 5

ip ssh version 2

line aux 0

no exec

transport input all

transport output all

stopbits 1

speed 115200

line vty 0 4

length 45

transport preferred none

transport input ssh

line vty 5 13

transport input ssh

line vty 14 15

session-timeout 60

access-class IPSec-Mgt in

exec-timeout 60 0

transport input all

!

display from show ip ssh command:

SSH Enabled - version 2.0

Authentication timeout: 15 secs; Authentication retries: 5

There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...

k.minarcin Tue, 07/14/2009 - 11:54

Here are exceprts for the configuration:

aaa new-model

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login userauthen1 local

aaa authentication login acs-rad group radius local

aaa authentication ppp default local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization network groupauthor local

aaa authorization network groupauthor1 local

aaa accounting exec acct start-stop group tacacs+

aaa accounting exec acc-exec start-stop group tacacs+

!

aaa session-id common

!

ip ssh time-out 15

ip ssh authentication-retries 5

ip ssh version 2

line aux 0

no exec

transport input all

transport output all

stopbits 1

speed 115200

line vty 0 4

length 45

transport preferred none

transport input ssh

line vty 5 13

transport input ssh

line vty 14 15

session-timeout 60

access-class IPSec-Mgt in

exec-timeout 60 0

transport input all

!

display from show ip ssh command:

SSH Enabled - version 2.0

Authentication timeout: 15 secs; Authentication retries: 5

There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...

bansal.ojasvi Tue, 07/14/2009 - 11:59

The only thing I can think about is if you have this command.

(config)#ip domain name domain.local

k.minarcin Tue, 07/14/2009 - 12:02

our domain name is set and is not default...very strange occurance..

s.conway Mon, 07/27/2009 - 21:01

What code version is running on the working verses non working routers?

Vandyke's support forum has some info. Some users report that Putty works fine for them but sCRT stopped after upgrading past IOS 12.2.4.15

http://forums.vandyke.com/archive/index.php/t-933.html

On lines from your debug output shows the client sending AES256

5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

A search of Cisco's site shows that the error "Session disconnected - error 0x07" indicates the SSH Client Not Compiled with Data Encryption Standard (DES). I use SCRT 6.1.x and it doesn't have DES as an option. I don't have a router to test with. Is there an option to set the encryption type on the router?

Secure Shell Version 2 Support guide for 12.3T - may be of some help.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html

Richard Burts Tue, 09/08/2009 - 11:11

Kristen

Thank you for posting back to the forum indicating that you have identified and solved your problem. It makes the forum more useful when people can read about a situation, and can know what the problem identification was and what the solution was.

HTH

Rick

Actions

This Discussion