ExtremeSwitching (EXOS)

Expand all | Collapse all

Cant SSH2 to Extreme switches via Ubuntu

  • 1.  Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 18:43
    We recently enable SSH2 in our environment. I am able to SSH to Cisco switches without any issue but can not to any Extreme switch. I can login to them fine via teraterm/secureCRT but not via Ubuntu.

    I have a Ubuntu 14.04 machine. Here is what I am getting:

    ssh admin@extreme_switch.com
    ssh_exchange_identification: read: Connection reset by peer

    With -v for more info:

    ssh -v admin@extreme_switch.com
    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to extreme_switch.com [10.10.0.99] port 22.
    debug1: Connection established.
    debug1: identity file /home/admin1/.ssh/id_rsa type -1
    debug1: identity file /home/admin1/.ssh/id_rsa-cert type -1
    debug1: identity file /home/admin1/.ssh/id_dsa type -1
    debug1: identity file /home/admin1/.ssh/id_dsa-cert type -1
    debug1: identity file /home/admin1/.ssh/id_ecdsa type -1
    debug1: identity file /home/admin1/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/admin1/.ssh/id_ed25519 type -1
    debug1: identity file /home/admin1/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
    ssh_exchange_identification: read: Connection reset by peer

    Any idea why I can not login to Extremes?

    Thanks
    Zohaib



  • 2.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 18:50
    What version of code are you running?
    Is the ssh xmod installed if you are running 15.x or lower?


  • 3.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 19:03
    We have different versions depending on model. Here are some and none are working:

    8810/x8 - bd8800-15.7.2.9-ssh.xmod v1572b9
    x770 - summitX-15.7.2.9-ssh.xmod v1572b9
    x870 - onie-22.2.1.5-patch1-4-debug.xmod 22.2.1.5-patch1-4


  • 4.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 10:08
    Yes, I did this already. Like this:

    vi .ssh/config

    Host x450
    HostName [i]
    HostKeyAlgorithms=+ssh-dss
    User admin

    Then "ssh x450"



  • 5.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 01-02-2018 16:06
    For "older" EXOS switches, I added an alias to my bash_profile (OS 😵 to automatically add the older cypher. That way the extra algorithms are added by using:
    code:
    oldssh (switch_address)

    Here's what I added:

    $ grep oldssh .bash_profile
    alias oldssh='ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss'[/code]


  • 6.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 01-03-2018 18:04
    Thanks all for help. I tried a different Ubuntu machine on a different subnet and i worked. It seems to be blocked somewhere.



  • 7.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 19:11
    Hi Zohaib,

    For EXOS 15.7.2.9 you need to run the following commands to activate SSH on each switch:
    - run update
    - enable ssh2 vr all

    For EXOS 22.2.1.5-P1-4 you need to run the following commands to activate SSH on each switch:
    - enable ssh2 vr all

    You can then run the "show management" command, check under the "SSH" heading that SSH is enabled and the key is valid.

    Please let us know if you have any other questions.
    Thank you.

    Best regards,
    Andrew


  • 8.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 19:28
    {Run update} should only be needed if the stack has not been booted since the code was loaded.

    Also, to clarify if your switches are stacked, you only need to enable ssh on the master.


  • 9.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 08:36
    Hi,
    after Ubuntu Update to 17.x I can't ssh to Extreme Switches (formerly Enterasys).
    This helps for me:

    ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@[i]

    or this options to an X450:

    ssh -o HostKeyAlgorithms=+ssh-dss admin@[i]

    Regards,
    Bernhard


  • 10.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 09:39
    Instead of typing the -o... on the command line every time (or more often, depending on your skill to avoid typos), you can also put it into your ~/.ssh/config file. See https://www.openssh.com/legacy.html
    Lazy fat-fingered me would probably do that ;)



  • 11.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 19:03
    If you run {show man} is ssh enabled?

    If not you can
    {enable ssh2}


  • 12.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-28-2017 19:03
    Here is a snippet of "sh man":

    SSH access : Enabled (Key valid, tcp port 22 vr VR-Mgmt)
    : Secure-Mode : Off
    : Access Profile : 25 Dynamic rules configured
    SSH2 idle time : 60 minutes

    SSH is enabled as I can SSH to all devices via SecureCRT


  • 13.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 09:39
    I am getting this:

    Unsupported KEX algorithm "+diffie-hellman-group1-sha1"
    command-line line 0: Bad SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.


  • 14.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 09:39
    Are you using openssh from ubuntu?

    Your issue (with 15.7 EXOS version) is definitely related to the upgrade of openssh, and the legacy keys being disabled by default. The link from Frank is the solution.

    For 22.x code, this is not necessary. I see you have a debug EXOS release. Why?


  • 15.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 09:39
    ssh -Q kex


  • 16.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 12-29-2017 09:39
    Yes, I am using openssh on Ubuntu.

    I did try Bernhard Gruenwald and Frank's solution but it did not work. I will try again and capture error message. I am not sure about that debug file, I will check other 870s


  • 17.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 01-02-2018 16:06
    I was just about to suggest the same thing. I like this better than modifying the ~/.ssh/config file, since it will error out at first (with just ssh), and let you choose to downgrade to older, less secure algorithms.


  • 18.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 01-03-2018 18:04
    Glad you got it [mostly] figured out. Thanks for letting us know!


  • 19.  RE: Cant SSH2 to Extreme switches via Ubuntu

    Posted 01-03-2018 18:04
    Does the switch happen to have an SSH access profile on it? It sounds like it may be getting blocked by that.

    If it is, you should be able to see a log message that the SSH attempt was denied to due an access profile.