×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco IOS 15.x ssh to Solaris Server problem

Unanswered Question
May 24th, 2012
User Badges:

Hello.


We have a Cisco Router 2911 , with IOS 15.x , it has a problem when you try to connect from the Router to the Server with SSH v.2 protocol.



Servers are Sun Solaris 10.


We have test it on Intel and Sparc platform 

-Solaris 10 update 5

-Solaris 10 update 7

-Solaris 10 update 9

-Solaris 10 update 10




Test is done on next IOS-es:


c2900-universalk9-mz.SPA.150-1.M5

c2900-universalk9-mz.SPA.150-1.M8

and

c2900-universalk9-mz.SPA.151-4.M4



We have tested with DH key sizes:

(ip ssh dh min size )

1024

2048

4096





Debug on Router (debug ip ssh):


May 24 13:05:13.686 GMT: SSH CLIENT0: protocol version id is - SSH-2.0-Sun_SSH_1.1.4

May 24 13:05:13.686 GMT: SSH CLIENT0: sent protocol version id SSH-2.0-Cisco-1.25

May 24 13:05:13.686 GMT: SSH2 CLIENT 0: send:packet of  length 344 (length also includes padlen of 5)

May 24 13:05:13.686 GMT: SSH2 CLIENT 0: SSH2_MSG_KEXINIT sent

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: ssh_receive: 592 bytes received

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: input: total packet length of 592 bytes

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 584 bytes,

               maclen 0

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: input: padlength 8 bytes

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: SSH2_MSG_KEXINIT received

May 24 13:05:13.714 GMT: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1

May 24 13:05:13.714 GMT: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1


====> This first step is OK


May 24 13:05:13.714 GMT: SSH2 CLIENT 0: send:packet of  length 24 (length also includes padlen of 6)

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_REQUEST sent

May 24 13:05:13.714 GMT: SSH2 CLIENT 0: Range sent- 1024  < 2048  < 4096

May 24 13:05:13.718 GMT: SSH2 CLIENT 0: ssh_receive: 424 bytes received

May 24 13:05:13.718 GMT: SSH2 CLIENT 0: input: total packet length of 424 bytes

May 24 13:05:13.718 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 416 bytes,

               maclen 0

May 24 13:05:13.718 GMT: SSH2 CLIENT 0: input: padlength 10 bytes

May 24 13:05:13.718 GMT: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_GROUP received

May 24 13:05:13.718 GMT: SSH2 CLIENT 0: Server has chosen 3192 -bit dh keys


==> Sun Solaris side choose wrong size (3192) every time , on every Solaris we tested


May 24 13:05:13.718 GMT: %SSH-3-INV_MOD: Invalid modulus length

May 24 13:05:13.718 GMT: SSH CLIENT0: Session disconnected - error 0x00




Interesting thing is that SSH to any other Linux/Unix (except Solaris) is working.


Debug of working ssh to Linux server:


ay 24 13:09:54.967 GMT: SSH CLIENT0: protocol version id is - SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5

May 24 13:09:54.967 GMT: SSH CLIENT0: sent protocol version id SSH-2.0-Cisco-1.25

May 24 13:09:54.967 GMT: SSH2 CLIENT 0: send:packet of  length 344 (length also includes padlen of 5)

May 24 13:09:54.967 GMT: SSH2 CLIENT 0: SSH2_MSG_KEXINIT sent

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: ssh_receive: 536 bytes received

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: input: total packet length of 784 bytes

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 776 bytes,

               maclen 0

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: ssh_receive: 248 bytes received

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 776 bytes,

               maclen 0

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: input: padlength 10 bytes

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: SSH2_MSG_KEXINIT received

May 24 13:09:54.971 GMT: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1

May 24 13:09:54.971 GMT: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1


====> This first step is OK


May 24 13:09:54.971 GMT: SSH2 CLIENT 0: send:packet of  length 24 (length also includes padlen of 6)

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_REQUEST sent

May 24 13:09:54.971 GMT: SSH2 CLIENT 0: Range sent- 1024  < 2048  < 4096

May 24 13:09:54.975 GMT: SSH2 CLIENT 0: ssh_receive: 280 bytes received

May 24 13:09:54.975 GMT: SSH2 CLIENT 0: input: total packet length of 280 bytes

May 24 13:09:54.975 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 272 bytes,

               maclen 0

May 24 13:09:54.975 GMT: SSH2 CLIENT 0: input: padlength 8 bytes

May 24 13:09:54.975 GMT: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_GROUP received

May 24 13:09:54.975 GMT: SSH2 CLIENT 0: Server has chosen 2048 -bit dh keys

May 24 13:09:55.031 GMT: SSH2 CLIENT 0: send:packet of  length 272 (length also includes padlen of 6)

May 24 13:09:55.031 GMT: SSH2 CLIENT 0: expecting SSH2_MSG_KEX_DH_GEX_REPLY

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: ssh_receive: 536 bytes received

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: input: total packet length of 832 bytes

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 824 bytes,

               maclen 0

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: ssh_receive: 312 bytes received

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: partial packet length(block size)8 bytes,needed 824 bytes,

               maclen 0

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: input: padlength 8 bytes

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_REPLY received

May 24 13:09:55.115 GMT: SSH2 CLIENT 0: Skipping ServerHostKey Validation

May 24 13:09:55.195 GMT: SSH2 CLIENT 0: signature length 271

May 24 13:09:55.195 GMT: SSH2: kex_derive_keys complete


====> This second step is OK




Configuration of SSH server ( /etc/ssh/sshd_config ) is similar to one on other (working) Linux systems

Then we try to force key size in SSH Daemon config :

For example :

ServerKeyBits 2048


But then again it select key size of 3192 and connection error is the same.


Please help.


BR,

Hrvoje.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rmorehouse2000 Wed, 06/13/2012 - 05:32
User Badges:

As a workaround, you could edit the server's /etc/ssh/moduli file and remove the 3192 bit prime. That would force the server to generate a 4096 bit key (the next highest available).

Actions

This Discussion

Related Content