Skip to main content

%SECURITY-SSHD-6-INFO_GENERAL : no matching kex found

Error Connecting to IOS-XR in the LAB

I've created a new lab for testing using EVE-NG. Everything was fine.  But when I tried to connect to Cisco IOS-XR from my Jumphost, I saw the message:

stack@devstack$ ssh cisco@192.168.0.7                                
Unable to negotiate with 192.168.0.7 port 22: no matching host key type found. Their offer:                                                                                                      
Hmm... Their offer is nothing!

Connected to console and checked logs from the other side:

RP/0/0/CPU0:May 30 10:33:08.510 : exec[65722]: %SECURITY-LOGIN-6-AUTHEN_SUCCESS : Successfully authenticated user 'cisco' from 'console' on 'con0_0_CPU0' 
RP/0/0/CPU0:May 30 10:33:59.970 : SSHD_[65831]: %SECURITY-SSHD-6-INFO_GENERAL : no matching kex found: client ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert- 

Hmm...
Router's configuration is quite straightforward, nothing different from hundreds others:

RP/0/0/CPU0:XRv1#show running-config ssh
Sun May 30 11:12:59.403 UTC
ssh server v2
ssh server netconf vrf default
ssh server logging

But what does it mean "Offer nothing"?  And, more interesting, how to solve the issue?

It looks that Cisco IOS-XR has nothing to offer at all. 

The answer is pretty simple. After generation crypto key the problem is gone.

RP/0/0/CPU0:XRv1#crypto key generate rsa                          
Sun May 30 11:00:02.091 UTC                                          The name for the keys will be: the_default

  Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [2048]:                                                                                       
Generating RSA keys ...                                                                                                   
Done w/ crypto generate keypair
[OK]                                                                                            
Hope this will help you to solve this problem.

PS: Update from Cisco IOS-XR documentation "From Cisco IOS XR Software Release 7.0.1 and later, the SSH host-key pairs are auto-generated at the time of router boot up. Hence you need not perform steps 5 to 7 to generate the host keys explicitly."

Comments

Post a Comment

Popular posts from this blog

How to replace Supermicro IPMI SSL and TLS Certificate

I decided to replace SSL and TLS Certificates at my Supermicro IPMI (Intelligent Provisioning Management Interface). Warning:     Server will restart after cirtificate update !  There are many options how to create Certificates. Here is two options. One is for Linux and the second is for Windows. Let's start with Linux. To create certificate you need OpenSSL at your Linux installation. It's included in almost all distributives. To check version of OpenSSL use this command: #openssl version OpenSSL 1.0.2g  1 Mar 2016 I suggest to use at least 2048 bit certificate. First we create private 2048 bit RSA key. The filename can be any you wish, in this example I will store private RSA key in pvt.pem. #openssl genrsa -out pvt.pem 2048 or  you can user genpkey option #openssl genpkey -algorithm RSA -out pvt.pem -pkeyopt rsa_keygen_bits:2048 Using this private RSA key I create Certificate Request #openssl req -new -key pvt.pem -out crt.pem Then I use my privat
Post a Comment
Read more

How to configure IPMI from IPMICFG Utility

IPMICFG Overview IPMICFG is a utility for IPMI devices configuration. It is a command line tool providing IPMI commands and Supermicro proprietary OEM commands. It is designed for easy to use and no pre-installation required. Use it for basic IPMI configuration and BMC status reading and monitoring. Features:  Set up IPMI IP Address  Set up IPMI Configuration  Configure IPMI User Management  Configure IPMI FRU  Manage System Event Log (SEL)  Manage IPMI by node management (NM) protocol IPMICFG Linux version will automatically use linux built-in ipmi driver from ipmitool to access BMC. If there is no ipmi driver loaded, IPMICFG will use its internal API to access BMC. However, the performance will be slow. Note:  You should use root permission to launch IPMICFG. Here is a step to load ipmi driver. You should be type these command to activate openIPMI driver: # modprobe ipmi_msghandler # modprobe ipmi_devintf # modprobe ipmi_si  Installing IPMICFG #  un
Post a Comment
Read more

How to Enable Console at EVE-NG

By default EVE-NG disable console access. You can use VNC to get console access to VM. By editing  GRUB_CMDLINE_LINUX  in  /etc/default/grub I've added console=tty0 console=ttyS0,115200 to enable console access using virsh console eve-ng command. GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200 net.ifnames=0 "
Post a Comment
Read more