Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSH connection fails - server refused authentication protocol

I have a 3845 router. 

  • Setup SSH Version 2
  • generated rsa keys (1024)
  • set login local
  • transport input ssh and telnet is enabled since I can't get ssh connection working

When I connect using SSH, I get the following error.

server refused authentication protocol.

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

SSH connection fails - server refused authentication protocol

Erika,

please consider carefully posting passwords. Even if they encrypted those password hashes are vere quick transformed

back to clear text......

I see you have ssh enabled on 2 lines at a time - I do not know if this is done for purpose, for security reasons I recommend to enable ssh just on a single line and disable telnet access completely

Putting passwords and priv levels in the line config is not a good style, aaa methods are a better way.

To put the matter right:

we first create a new strong keypair for your ssh access involving a 2048bit key to sleep well at night

conf t

crypto key generate rsa general-keys label modulus 2048

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

!

username privilege 15 password 0

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!!! the next command makes your ssh available at port 2222

!! this is to deny on the firewall ssh standard port 22 as it is a welcome target

!

ip ssh port 2222 rotary 1

ip ssh rsa keypair-name

ip ssh logging events

ip ssh version 2

!

!!!! we now setup the lines from scratch

!!!! first deleting them

no line con 0

no line aux

no line vty 0 4

!

!!!! now the new declarations:

!

!

!        

line con 0

speed 115200

line aux 0

line vty 0 4

rotary 1

international

transport input ssh

!        

that's it

Regards,

David.

New Member

SSH connection fails - server refused authentication protocol

another idea:

did you earlier connect to another device over ssh which had either the same ip address or hostname?

maybe this a key issue. ttermpro2 knows the old key and tries to exchange with a different machine.

of course this must fail. the same comes to light when the ssh keypair itself is replaced on the router.

try to find the known_host key cache on your ttermpro and either clear it or remove the entries concerning

the particular IP or hostname.

22 REPLIES
New Member

SSH connection fails - server refused authentication protocol

Erica,

can you please post the config snipets from your ssh and line section?

Thanks.

David.

SSH connection fails - server refused authentication protocol

can you also post output -----show ip ssh

looks like mismatch of ssh version ?

Thanks

Ajay 

New Member

SSH connection fails - server refused authentication protocol

Ajay,

it could also be a problem with the initiating DH Key-Exchange that happens before the SSH-Connection is confirmed on both sites.

Another hint could be the keys generated on the router. If they were generated as non-exportable or have not been explicitely assigned to ssh issuing:

     ip ssh rsa keypair-name

Regards,

David.

New Member

SSH connection fails - server refused authentication protocol

Erika,

please consider carefully posting passwords. Even if they encrypted those password hashes are vere quick transformed

back to clear text......

I see you have ssh enabled on 2 lines at a time - I do not know if this is done for purpose, for security reasons I recommend to enable ssh just on a single line and disable telnet access completely

Putting passwords and priv levels in the line config is not a good style, aaa methods are a better way.

To put the matter right:

we first create a new strong keypair for your ssh access involving a 2048bit key to sleep well at night

conf t

crypto key generate rsa general-keys label modulus 2048

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

!

username privilege 15 password 0

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!!! the next command makes your ssh available at port 2222

!! this is to deny on the firewall ssh standard port 22 as it is a welcome target

!

ip ssh port 2222 rotary 1

ip ssh rsa keypair-name

ip ssh logging events

ip ssh version 2

!

!!!! we now setup the lines from scratch

!!!! first deleting them

no line con 0

no line aux

no line vty 0 4

!

!!!! now the new declarations:

!

!

!        

line con 0

speed 115200

line aux 0

line vty 0 4

rotary 1

international

transport input ssh

!        

that's it

Regards,

David.

New Member

SSH connection fails - server refused authentication protocol

HUH!

I made mistake,

please do _N O T_ issue:

no line con 0

in case your are with a terminal connected.

Regards,

D.

New Member

SSH connection fails - server refused authentication protocol

I still get the same authentication server refused authentication protocol.

Here's the updated config.

aaa new-model

!

!

aaa authentication login default local

!

!

aaa session-id common

#sho ip ssh

SSH Enabled - version 2.0

Authentication timeout: 60 secs; Authentication retries: 2

However, when I entered this:

no line vty 0 4

I got a response:

% Can't delete last 5 VTY lines

Now my lines look like this:

line vty 0 4

privilege level 15

password 7

rotary 1

international

transport input ssh

!

New Member

SSH connection fails - server refused authentication protocol

Erika,

do you get the error message instantly when you try to connect or after typed your login credentials?

you need at least one user on the machine as SSH requires User+Password.

If you do not provide a username, by standard the username you logged in on your workstation is

sent to the other ssh site.

Other points to turn an eye to in order to target the problem:

- ip inspect configured on the machine?

- do you try to connect over VPN? try to reduce the MTU so that all packets get transmitted.

setup a username with priv level 15 as advised in my previous post and configure your lines new as follows:

conf t

     line vty 0 4

     no privilege level 15

     no password

     transport input ssh

     international

     rotary 1

exit

line con 0

     speed 115200

end

wr

copy run start



New Member

SSH connection fails - server refused authentication protocol

I am actully doing this over a VPN, but I'll be in the office in a little bit.  I'll hold off on doing yoru last suggestions until I get there. 

New Member

SSH connection fails - server refused authentication protocol

I do get the message immediately when I connect.  I'm not asked for a user name and password like I get when I telnet in. I do already have 2 users on the router. 

New Member

SSH connection fails - server refused authentication protocol

ok.

this makes sense.

can you please provide me the MTU values from your tunnel interface?

Cisco VPN is Layer 2 over IPSec. The IPSec may cause in some cases a protocol overhead.

This causes breaks in the connection.

Regards,

David.

New Member

SSH connection fails - server refused authentication protocol

The VPN isn't on my equipment, it's been assigned to me by my ISP.  It's an usual situattion, enterprise configuration. 

Now I was surprised when I consoled in - couldn't get in. 

I couldn't get in through Telnet or SSH either.

I connected to the AUX port and finally got in. Then the language was not English.  I removed the International line and got it back to English. 

New Member

SSH connection fails - server refused authentication protocol

if you have the router physically available, then try to connect over SSH from the same switch.

If it then lets you in without any interrupt, you have the solution.

you maybe couldn't connect to console because my sample config changed the speed of the console to 115200.

the value needs to be assigned in your terminal for the serial port.

Regards,

David.

New Member

SSH connection fails - server refused authentication protocol

I created a new user.  Tried to connect again, from a swtich directly connected to the router.  Still fails.  I do see the SSH authentication challenge window open when I initiate the connection, but the error opens and is the only active window. 

I tried to connect directly to the router, but couldn't get anywhere.  I assigned an IP address to my laptop and did a no shutdown on the interface, but I still couldn't get even to the router.

New Member

SSH connection fails - server refused authentication protocol

which program do you have in use on your notebook for the ssh connection?

New Member

SSH connection fails - server refused authentication protocol

ttermpro2

New Member

SSH connection fails - server refused authentication protocol

another idea:

did you earlier connect to another device over ssh which had either the same ip address or hostname?

maybe this a key issue. ttermpro2 knows the old key and tries to exchange with a different machine.

of course this must fail. the same comes to light when the ssh keypair itself is replaced on the router.

try to find the known_host key cache on your ttermpro and either clear it or remove the entries concerning

the particular IP or hostname.

New Member

SSH connection fails - server refused authentication protocol

the easiest way would be a connection attempt from a different system, best a Linux based.

New Member

SSH connection fails - server refused authentication protocol

No go on the Linux systems...I have none.

I tried on a new host, never to have connected to the router via SSH or Telnet before on the host.  I saw the message, do you want to use this 2048, no way of validating, click yes to save it and use it.  Clicked yes.  Still get server refused user authenticaiton protocol.

New Member

SSH connection fails - server refused authentication protocol

this is somewhat strange.

if you wish, you may send me the public IP address of your router and I can then open a SSH session from my

Solaris Worksation and analyze the traffic packets with tcpdump and openssl client. We then see more what is

going wrong.

mail me the IP at: E605  ~a~T* LIVE_dot_DE

Regards,

David.

New Member

SSH connection fails - server refused authentication protocol

I got a new program, SecureCRT and can now get connected via SSH.  Excellent instructions, thank you David! 

New Member

SSH connection fails - server refused authentication protocol

your are most welcome..

great to see you got your ssh access back.

Regards,

David.

New Member

i am facing the same issue

i am facing the same issue today and took me while to fix up. 

this is the command i re-typed and make SSH work. 

crypto key generate rsa general-keys modulus 1024

not really sure why, but that how I fixed.

 

 

 

10644
Views
0
Helpful
22
Replies