08-01-2016 09:03 AM
The ICX7250's don't seem to support anything other than a REALLY old and weak ssl key versions in ssh....which have now been deprecated.
I'm trying to setup a simple SSH login - nothing fancy - and I'm falling over at the first hurdle.
Status of the switch that I'm testing this on:
However, when I try to login, all I get is this:
Unable to negotiate with xx.xx.xx.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
According to the instruction manual: It is just a case of generating an RSA key - creating a local user [for testing purposes] - and you should be good to go.
I am using OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016 - and all our Linux servers used for monitoring will also be using a similar version.
The Brocade Security Manual - does seem to have left out some information, so I'm wondering if you guys can help me please?
08-03-2016 04:16 PM
First, what version are you running? Second, have you tried to clear the crypto keys and regenerate them?
To delete the DSA host key pair, enter the following command.
device(config)#crypto key zeroize dsa
To generate a DSA key pair, enter the following command.
device(config)#crypto key generate dsa
Then try to ssh again.
I hope this helps.
08-04-2016 07:49 AM
I am running FastIron 07400 Layer 3 code base.
Nope - this does not work - I have raised a TAC call with Brocade.
Error as previously: Unable to negotiate with xx.xx.xx.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
08-17-2016 11:51 AM - edited 08-17-2016 11:56 AM
FIrst upgrade the Firmware and Bootrom if applicable to the latest supported version.
Next zeroize the crypto keys as described above.
... Then try this:
crypto key generate rsa mod 2048
If you would like to harden it further tweak these settings to your liking:
ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
If you want to go all out and lock it down to answer SSH for only certain IPs and or subnets:
access-list 99 permit host 10.1.2.3
access-list 99 permit 10.2.0.0 0.0.255.255
access-list 99 deny any log
ssh access-group 99
Oh, yeah and don't forget to disable telnet:
no telnet server
08-18-2016 12:18 AM