4

For some reason I cannot ssh into a Cisco Catalyst C3750 Switch. This is the error message, that I get:

   ssh_dispatch_run_fatal: Connection to 192.168.7.6 port 22: Invalid key length

This is the SSH config, that I am using:

   Host 192.168.7.6
   IdentitiesOnly yes
   KexAlgorithms=+diffie-hellman-group1-sha1

My SSH-Version is:

   OpenSSH_7.6p1, OpenSSL 1.1.0h-fips  27 Mar 2018

I already ran:

   crypto key generate rsa

on the switch and generated a 2048 length key, but this did not help. I also reloaded the switch.

Thanks

Mebus
  • 41
  • 1
  • 1
  • 4
  • 2
    Possible that the old key is still in there? Check with **show crypto key mypubkey rsa**, if so try **crypto key zerosize rsa** and then regenerate. – Harrison Gibbs Jul 11 '18 at 02:23

6 Answers6

7

openssh refuses the key length less than 1024 bits starting 7.6. https://www.openssh.com/txt/release-7.6

If you use ubuntu, you can install openssh-client-ssh1, then use ssh1 command instead of ssh.

sudo apt install openssh-client-ssh1
Kevin
  • 71
  • 1
  • 1
3

Had the same issue and it was because of a key length of 768bit. To verify that you are really using your 2048bit key:

ssh-keyscan <router|switch-ip> > rkey.txt
ssh-keygen -lf rkey.txt

This will tell you the actual key length.

Hnouss
  • 31
  • 2
3

If your getting the "Invalid key length" error, the problem isn't your Ciphers (that may be it's own problem, but if you're getting a key, SSH has agreed to a Cipher)

I read the CISCO documentation of enabling/disabling SSH/Telnet here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_0110.pdf

If your still getting a "invalid key length", your Cisco switch/router is still serving up the old (short) key. Here's what I had to do: 1) Enable Telnet (feature telnet) OR 1) Use a console cable 2) Login (console or telnet) 3) Disable SSH (no feature ssh) 4) Re-create the SSH Key (ssh key rsa 2048 force) Note: Other blogs use the crypto key modules command, that did not help 5) Enable SSH (feature ssh) 6) Bingo... no changes to my High Sierra ssh_config file and I'm working.

Hope it helps...

Gregory McPhee
  • 31
  • 1
1

It happens if recently your ssh key length is changed like from 1024 bit to 2048 bit or so. A simple way to get it fixed is, just remove the old ssh key from known host file and try to ssh the device. It will help.

Soumyadipta Ganguly
  • 11
  • 1
1

I get into mine with:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc username@3750g

It selects the right key and cipher.

Charles

charlesnadeau
  • 111
  • 1
  • 2
  • 2
1

if ssh -c aes192-cbc IP_YOUR_DEVICE not work. Try run ubuntu 12.04 on vagrant or if it's to hard, run ubuntu on virtualbox. Then connect to your vbox and then to your device. If your device support server private key regeneration, do it with size 2048bit. After that try connect from your host machine. Tested with dfl-860e. if your device don't support private key regeneration with custom params, you can use ssh ProxyCommand

here example my ssh config file with vagrant

Host vagrant 
    HostName 127.0.0.1 
    User vagrant 
    Port 2222 
    UserKnownHostsFile /dev/null 
    StrictHostKeyChecking no 
    PasswordAuthentication no
    IdentityFile DIR_WHERE_VAGRANTFILE/.vagrant/machines/default/virtualbox/private_key
    IdentitiesOnly yes
    LogLevel FATAL

Host dlink
    port 22
    User YOUR_USER_NAME_ON_DEVICE
    Ciphers aes128-cbc
    ProxyCommand ssh vagrant nc -q0 IP_YOUR_DEVICE %p
zysyl
  • 11
  • 1