New-SSHSession : Session operation has timed out on Cisco SF350 #442
Comments
|
Is there any error logged on the device?
…Sent from my iPhone
On Jan 25, 2022, at 8:48 AM, SleeperCZ ***@***.***> wrote:
Hello, I am using Posh-SSH ver. 3.0.0.
I do have an issue "New-SSHSession : Session operation has timed out" when trying to create connection to Cisco SF350, SF550, etc. It uses SSH-2.0-OpenSSH_7.3p1.RL protocol version.
When I am trying to create connection to older models like SF300, that uses SSH-2.0-OpenSSH_5.9p1.RL, it works great!
Cisco updated OpenSSH from 5.9 to 7.3 couse some known vulnerabilities. There is no way to change it back on 5.9.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
|
|
Not at all. Process stops before key exchange. I have tried some calls, and catched them by wireshark.
|
|
Hello, |
|
Sadly no because I dont have the gear to reproduce or test this.
…Sent from my iPhone
On Feb 14, 2022, at 12:33 PM, SleeperCZ ***@***.***> wrote:
Hello,
is there any progress? Can I assist somehow? Maybe to capture more communication? Or try some another scenario? whatever.... :)
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you commented.
|
|
Can you check what is the algorithms set on the device and what are the ones used for the hose key? Could be it moved to a version of AES not supported by the module.
|
|
Hello,
I published one of devices at address 80.92.253.138 TCP 22
It's Cisco SF250 seriess.
According the Log of putty during connection, it uses cyber AES256 and SHA1
Auth.
"
2022-02-22 09:23:16 Looking up host "80.92.253.138" for SSH connection
2022-02-22 09:23:16 Connecting to 80.92.253.138 port 22
2022-02-22 09:23:16 We claim version: SSH-2.0-PuTTY_Release_0.74
2022-02-22 09:23:16 Remote version: SSH-2.0-OpenSSH_7.3p1.RL
2022-02-22 09:23:16 Using SSH protocol version 2
2022-02-22 09:23:16 No GSSAPI security context available
2022-02-22 09:23:16 Doing Diffie-Hellman group exchange
2022-02-22 09:23:16 Doing Diffie-Hellman key exchange using 2048-bit
modulus and hash SHA-1 (unaccelerated) with a server-supplied group
2022-02-22 09:23:17 Server also has ssh-dss host key, but we don't know it
2022-02-22 09:23:17 Host key fingerprint is:
2022-02-22 09:23:17 ssh-rsa 2048
91:d9:a7:95:1a:45:e1:5c:41:9b:bd:15:e1:5c:01:dd
2022-02-22 09:23:17 Initialised AES-256 SDCTR (AES-NI accelerated) outbound
encryption
2022-02-22 09:23:17 Initialised HMAC-SHA-1 (unaccelerated) outbound MAC
algorithm
2022-02-22 09:23:17 Initialised AES-256 SDCTR (AES-NI accelerated) inbound
encryption
2022-02-22 09:23:17 Initialised HMAC-SHA-1 (unaccelerated) inbound MAC
algorithm
"
po 21. 2. 2022 v 13:55 odesílatel Carlos Perez ***@***.***>
napsal:
… Can you check what is the algorithms set on the device and what are the
ones used for the hose key? Could be it moved to a version of AES not
supported by the module.
—
Reply to this email directly, view it on GitHub
<#442 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AROHKLQZ67JEMICKIPY4ZBTU4IY5TANCNFSM5MYFFISQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Noticed something interesting on Mac OS it is not able to negotiate a channel to validate the key using OpenSSH
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ***@***.***,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ***@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.***,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: ***@***.******@***.******@***.***
debug2: ciphers stoc: ***@***.******@***.******@***.***
debug2: MACs ctos: ***@***.******@***.******@***.******@***.******@***.******@***.******@***.***,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: ***@***.******@***.******@***.******@***.******@***.******@***.******@***.***,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: ***@***.***,zlib
debug2: compression stoc: ***@***.***,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: ***@***.***
debug2: ciphers stoc: ***@***.***
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with 80.92.253.138 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
On Windows with OpenSSH it defaults to ***@***.*** ***@***.***> and it is able to work. With Posh-SSH the behavior is similar to OpenSSH on Mac because neither support ***@***.*** ***@***.***> even when other supported ciphers are available. Wonder if that could be cause
Wonder if setting explicitly AES would work
ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes128-ctr aes256-ctr
|
|
Unfortunately I am unable to configure that on Small business Switch SF250,
I can only enable or disable ip ssh server and generate or modify server
keys :-(
I thought that the difference should be in order of key exchange
inicialization. Few months ago, when I have found that problem to
comunicate with SF350, I browsed internet to get some answers. I have found
one blog, where Cisco described why they have changed from OpenSSH5.9 to
OpenSSH7.3. As I remember, the reason was somehow connected exactly with
the order of key exchange init. (it was some security bug in 5.9)
Unfortunatelly I am unable to find that blog again :-( I can see, that
putty starts the key exchange from client site and all works fine. But in
case of Posh-SSH client is awaiting the server site init and timeout.
But maybe the problem is deeper, as you wrote. I have just poor knowadge of
encryption algoriths :-(
I have found that you build Posh-SSH on renci.ssh.net. According the
documentation GitHub they do support diffie-hellman-group1-sha1 and
diffie-hellman-group14-sha1so if the switch is offering that ones, I do not
see any reason not to use them.
On internet I have fould some topics about week cyphers disabled on MAC and
workarround how to eneble them gain in comfiguration file.
út 22. 2. 2022 v 15:22 odesílatel Carlos Perez ***@***.***>
napsal:
… Noticed something interesting on Mac OS it is not able to negotiate a
channel to validate the key using OpenSSH
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
***@***.***,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
***@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.******@***.***,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: ***@***.******@***.******@***.***
debug2: ciphers stoc: ***@***.******@***.******@***.***
debug2: MACs ctos:
***@***.******@***.******@***.******@***.******@***.******@***.******@***.***,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
***@***.******@***.******@***.******@***.******@***.******@***.******@***.***,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: ***@***.***,zlib
debug2: compression stoc: ***@***.***,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: ***@***.***
debug2: ciphers stoc: ***@***.***
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with 80.92.253.138 port 22: no matching key exchange
method found. Their offer:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
On Windows with OpenSSH it defaults to ***@***.*** ***@***.***> and it is
able to work. With Posh-SSH the behavior is similar to OpenSSH on Mac
because neither support ***@***.*** ***@***.***> even when other supported
ciphers are available. Wonder if that could be cause
Wonder if setting explicitly AES would work
ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes128-ctr aes256-ctr
—
Reply to this email directly, view it on GitHub
<#442 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AROHKLWPA2DDL62R56NGHSDU4OL4HANCNFSM5MYFFISQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I think it could be the chaca cipher or this problem sshnet/SSH.NET#841
|
|
I have tried to build new version of ssh.net with likeMyCoffee modification. It realy changes the order of client and server identification as expected. method connect() of class Session passing throught the client/server identification, than register message lisseners and stuck at line 624 of Session.cs WaitOnHandle(_keyExchangeCompletedWaitHandle); till is not timed out. The point is, that the server side just do not send keyexchangeinit. It waits init message from server and there is no way to force method Connect() to send keyexchangeInit. It is not implemented there and its definitely out of my skills to make it. |
|
Do you know if the target has compression disabled? Since Posh-SSH does not support it
…Sent from my iPhone
On Mar 24, 2022, at 2:11 PM, SleeperCZ ***@***.***> wrote:
I have tried to build new version of ssh.net with likeMyCoffee modification. It realy changes the order of client and server identification as expected. method connect() of class Session passing throught the client/server identification, than register message lisseners and stuck at line 624 of Session.cs WaitOnHandle(_keyExchangeCompletedWaitHandle); till is not timed out. The point is, that the server side just do not send keyexchangeinit. It waits init message from server and there is no way to force method Connect() to send keyexchangeInit. It is not implemented there and its definitely out of my skills to make it.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.
|
|
There is not such option on switch configuration CLI. But I am absolutelly
sure, that I can connect on switch without compression by putty. So maybe
switch support compression, but definitelly do not force request it.
čt 24. 3. 2022 v 21:23 odesílatel Carlos Perez ***@***.***>
napsal:
… Do you know if the target has compression disabled? Since Posh-SSH does
not support it
Sent from my iPhone
> On Mar 24, 2022, at 2:11 PM, SleeperCZ ***@***.***> wrote:
>
>
> I have tried to build new version of ssh.net with likeMyCoffee
modification. It realy changes the order of client and server
identification as expected. method connect() of class Session passing
throught the client/server identification, than register message lisseners
and stuck at line 624 of Session.cs
WaitOnHandle(_keyExchangeCompletedWaitHandle); till is not timed out. The
point is, that the server side just do not send keyexchangeinit. It waits
init message from server and there is no way to force method Connect() to
send keyexchangeInit. It is not implemented there and its definitely out of
my skills to make it.
>
> —
> Reply to this email directly, view it on GitHub, or unsubscribe.
> You are receiving this because you commented.
—
Reply to this email directly, view it on GitHub
<#442 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AROHKLSDJM4O7EPFM3GDW2DVBTFNBANCNFSM5MYFFISQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I think I'm having the same issue on CSB350 switches. Did you make any progress with this? |
|
Known issue with the library I use and cisco kit Cisco connection issue fix by likeMyCoffee · Pull Request #841 · sshnet/SSH.NETgithub.comMessage ID: ***@***.***>
|
|
can you test with version 3.0.7? |
|
It is still a problem with 3.0.8
|
|
The fix in the PR did not work. Sadly if you use cisco kit I can’t recommend you use my module at this timeSent from my iPhoneOn Dec 2, 2022, at 2:23 PM, MisterRat ***@***.***> wrote:
It is still a problem with 3.0.8
can you test with version 3.0.7?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
|
Version 3.1.2 includes the latest version of SSH.NET, which should address this. |
|
thats great! I will try it as soon is possible. Thank you!
st 3. 1. 2024 v 1:25 odesílatel Carlos Perez ***@***.***>
napsal:
… Version 3.1.2 includes the latest version of SSH.NET, which should
address this.
—
Reply to this email directly, view it on GitHub
<#442 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AROHKLUCSA5AR3A4AM5FFSTYMSQNZAVCNFSM5MYFFIS2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBXGQ3TCOBQGIZA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Works great. Thank you wery much!
Libor
st 3. 1. 2024 v 1:25 odesílatel Carlos Perez ***@***.***>
napsal:
… Version 3.1.2 includes the latest version of SSH.NET, which should
address this.
—
Reply to this email directly, view it on GitHub
<#442 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AROHKLUCSA5AR3A4AM5FFSTYMSQNZAVCNFSM5MYFFIS2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBXGQ3TCOBQGIZA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I am using Posh-SSH ver. 3.0.0.
I do have an issue "New-SSHSession : Session operation has timed out" when trying to create connection to Cisco SF350, SF550, etc. It uses SSH-2.0-OpenSSH_7.3p1.RL protocol version.
When I am trying to create connection to older models like SF300, that uses SSH-2.0-OpenSSH_5.9p1.RL, it works great!
Cisco updated OpenSSH from 5.9 to 7.3 couse some known vulnerabilities. There is no way to change it back on 5.9.
The text was updated successfully, but these errors were encountered: