With new OpenSSH Client 7.1: No "normal" SSH Login to EXOS possible

  • 0
  • 2
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hello,

with the current OpenSSH Client 7.1 (released August 21, 2015) it is not possible any longer to login "directly" to an EXOS switch.


~ $ ssh admin@X
Unable to negotiate with X: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

According to http://www.openssh.com/legacy.html the workaround is:


~ $ ssh admin@X -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss
[..]
Enter password for admin:
ExtremeXOS
Copyright (C) 1996-2015 Extreme Networks. All rights reserved.
This product is protected by one or more US patents listed at http://www.extremenetworks.com/patents along with their foreign counterparts.
==============================================================================
Press the <tab> or '?' key at any time for completions.
Remember to save your configuration changes.
Slot-1 Y #


Are there any plans or already ways, that EXOS's SSH Implementation doesn't use weak/legacy algorithms?


Cheers
Jan


P.S.: Tested with EXOS up to:

# sh version
Switch      : 800551-00-05 1523N-44609 Rev 5.0 BootROM: 1.0.2.1    IMG: 16.1.1.4
X460-G2-VIM-2X-B-1: 800556-00-03 1502N-42815 Rev 3.0
PSU-1       : Internal PSU-1 800592-00-07 1519A-45753
PSU-2       : Internal PSU-2 800592-00-07 1519A-45758
Image   : ExtremeXOS version 16.1.1.4 by release-manager
          on Fri Jun 12 17:47:56 EDT 2015
BootROM : 1.0.2.1
Diagnostics : 3.1
Photo of Jan Steinbach

Jan Steinbach

  • 1,078 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 2
Photo of Drew C.

Drew C., Community Manager

  • 37,336 Points 20k badge 2x thumb
This sounds like something we'll need to look into.  I'll do some checking internally, and I suspect someone may be able to come back with more information before I can.

Can I ask what OS you're using?
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,552 Points 10k badge 2x thumb
Hi,

yes, there're plans to upgrade the SSH Server in future release. It doesn't seem we can have stronger key exchange methods in our current implementation.
Photo of ECOMMERCE\lucasjm

ECOMMERCE\lucasjm

  • 70 Points
Are there any updates on this topic?
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,552 Points 10k badge 2x thumb
21.1 has the SSH server upgrade, 16.2 should have it when it's released, afaik.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
What about EXOS 15.6.X 15.7.X ? Or 15.3.[4-5].X ?

--
Jarek
(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,552 Points 10k badge 2x thumb
I'm not aware of any plan for it. You should reach out to your Extreme representative for such a request.
Photo of ECOMMERCE\lucasjm

ECOMMERCE\lucasjm

  • 70 Points
Ok, thanks for the info!