Error: Handshake failed: no matching client->server cipher

[sgofferj]

I'm trying to connect to an older Cisco switch. In the config I already set KEX algorithms to "diffie-hellman-group1-sha1". When connecting from the console to that switch, I also need to set Ciphers to aes256-cbc but I haven't found a way to set ciphers in bigssh. Any way to do that?

[Jacques44]

Hello,

bigssh relies on ssh2 which implements all the ssh protocol complexity. (https://www.npmjs.com/package/ssh2 https://www.npmjs.com/package/ssh2)

According to the ssh2-streams which ssh2 depends on, https://www.npmjs.com/package/ssh2-streams https://www.npmjs.com/package/ssh2-streams, ciphers supports the following values and, in green, the one you need:

cipher - array - Ciphers.

Default values:

aes128-ctr aes192-ctr aes256-ctr aes128-gcm (node v0.11.12 or newer) aes128-gcm@openssh.com mailto:aes128-gcm@openssh.com (node v0.11.12 or newer) aes256-gcm (node v0.11.12 or newer) aes256-gcm@openssh.com mailto:aes256-gcm@openssh.com (node v0.11.12 or newer) Supported values:

aes128-ctr aes192-ctr aes256-ctr aes128-gcm (node v0.11.12 or newer) aes128-gcm@openssh.com mailto:aes128-gcm@openssh.com (node v0.11.12 or newer) aes256-gcm (node v0.11.12 or newer) aes256-gcm@openssh.com mailto:aes256-gcm@openssh.com (node v0.11.12 or newer) aes256-cbc aes192-cbc aes128-cbc blowfish-cbc 3des-cbc arcfour256 arcfour128 cast128-cbc arcfour

So I think it’s possible !

I’ve only added the following parameters in biggsh:

ssh_config.algorithms = {'kex': [this.credentials.algorithms]};

so I « just » need to add all the keys available:

algorithms - object - This option allows you to explicitly override the default transport layer algorithms used for the connection. Each value must be an array of valid algorithms for that category. The order of the algorithms in the arrays are important, with the most favorable being first. For a list of valid and default algorithm names, please review the documentation for the version of ssh2-streams used by this module. Valid keys:

kex - array - Key exchange algorithms.

cipher - array - Ciphers.

serverHostKey - array - Server host key formats.

hmac - array - (H)MAC algorithms.

compress - array - Compression algorithms.

So yes, I can add cipher for you give me a few hours as I’m not in front of my home pc :-)

regards

Le 5 juil. 2019 à 11:52, Stefan Gofferje notifications@github.com a écrit :

I'm trying to connect to an older Cisco switch. In the config I already set KEX algorithms to "diffie-hellman-group1-sha1". When connecting from the console to that switch, I also need to set Ciphers to aes256-cbc but I haven't found a way to set ciphers in bigssh. Any way to do that?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Jacques44/node-red-contrib-bigssh/issues/13?email_source=notifications&email_token=AEKS6MZSQHDNECZ7UO42XKDP54KVRA5CNFSM4H6JYOBKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G5QUFRA, or mute the thread https://github.com/notifications/unsubscribe-auth/AEKS6M6UAZSFF25FEMOEMCLP54KVRANCNFSM4H6JYOBA.

[sgofferj]

Awesome! Thank you so much!

[Jacques44]

Hello, I've published the 1.2.3 version with cipher support As I don't have any way to test it, please tell me

[sgofferj]

It seems you have removed the login password option in this version. Older Cisco IOS versions unfortunately don't support pubkey authentication, so I could only test with password option.

[Jacques44]

Hello,

I started the change from the latest git sync.. that’s strange as when checking each commit, I don’t see anything about password authentication… damn

By the way, should be ok now

Please tell me

Le 7 juil. 2019 à 10:47, Stefan Gofferje notifications@github.com a écrit :

It seems you have removed the login password option in this version. Older Cisco IOS versions unfortunately don't support pubkey authentication, so I could only test with password option.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Jacques44/node-red-contrib-bigssh/issues/13?email_source=notifications&email_token=AEKS6M56JUTEESA66NADWNTP6GURRA5CNFSM4H6JYOBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZLHJRY#issuecomment-508982471, or mute the thread https://github.com/notifications/unsubscribe-auth/AEKS6M2R6BMDT626GZ5EUPTP6GURRANCNFSM4H6JYOBA.

[sgofferj]

Yes, the connect works now, thanks a lot! I just can't get my command sequence to work. Does bigssh make a new connection for each command? I'm doing the following: I have a template node in which I have the commands, one per line. That node goes into a split node which splits the commands into single messages and sends them to the bigssh node as stream. The commands are

configure terminal
interface fastethernet 1/0/11
power inline never
exit
exit

I get the correct response for "configure terminal" but I get error messages for for the 2 following commands which lets me think that big ssh makes a new connection for each message.

[Jacques44]

Hello

Here is what you can do:

As you can see, I've used a template node. You need to set format to plain text and end your list of commands with an "exit" followed by an empty line:

The ssh node is configured as follow. Command is set to "sh -" which means run a shell and wait for commands from stdin (you need to check that sh is in /bin on your remote host):

Everything else is to get the output as a human readable form

Regards

[sgofferj]

Thank you! That works fine with Linux machines but unfortunately not with Cisco IOS devices. I'll try and figure out how to start a "shell" on those.

[sgofferj]

I'll close this because the original problems was solved. Thanks again for your help!