SSH to Cisco ASA fails, unable to negotiate, no matching key exchange method found.

Short story: With SSH-clients based on OpenSSH 7.0 (like my OSX Mac) I cannot connect with SSH to a Cisco Firewall. To connect anyway I must add the parameter -oKexAlgorithms=+diffie-hellman-group1-sha1 to ssh.

sha1 is deprecated as hash algoritm and should not be used. In some Cisco ASA firewalls running older code you might find that connecting with ssh to the device gives you an error message similar to this:

bash>ssh jimmy@10.192.168.1
Unable to negotiate with 10.192.168.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
bash>

The quick fix to this is to temporary accept sha1 in your ssh client. In OSX you add the parameter -oKexAlgorithms=+diffie-hellman-group1-sha1 to make the client accept sha1:

bash>ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 jimmy@10.192.168.1
jimmy@10.192.168.1's password: 
Type help or '?' for a list of available commands.
5506> 

The permanent and much better solution is of course to tell the ASA not to use sha1. Unfortunately this is not possible. As a sidenote there is a new feature that comes with version 9.6(1) and 9.1(7).

There must be a ssh cipher configuration command available, if not, upgrade. Like in my box running 9.5(2):

5506(config)# ssh ci?
ERROR: % Unrecognized command
5506(config)# ssh ci

After upgrading to 9.6(1) I am able to select ssh cipher parameters both for integrity (hash) and encryption:

5506(config)# ssh cipher integrity ?

configure mode commands/options:
  all     Specify all ciphers
  custom  Choose a custom cipher integrity configuration string.
  fips    Specify only FIPS-compliant MACs
  high    Specify only high-strength MACs
  low     Specify low, medium, and high strength MACs
  medium  Specify medium and high strength MACs (default)
5506(config)# ssh cipher encryption ?

configure mode commands/options:
  all     Specify all ciphers
  custom  Choose a custom cipher encryption configuration string.
  fips    Specify only FIPS-compliant ciphers
  high    Specify only high-strength ciphers
  low     Specify low, medium, and high strength ciphers
  medium  Specify medium and high strength ciphers (default)
5506(config)#

It is not obvious what these cipher suites means but there is a command “show ssh ciphers” available:

5506(config)# sh ssh ciphers 
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
	all:	 3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr  
	low:	 3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr  
	medium:	 3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr  
	fips:	 aes128-cbc   aes256-cbc  
	high:	 aes256-cbc   aes256-ctr  
Integrity Algorithms:
	all:	 hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96 
	low:	 hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96 
	medium:	 hmac-sha1    hmac-sha1-96
	fips:	 hmac-sha1   
	high:	 hmac-sha1   
5506(config)# 

But Wooooot??? Only sha1 algorithms available? That was unexpected. Let´s try the highest protocol suite available:

5506(config)# ssh cipher encryption high
5506(config)# ssh cipher integrity high
5506(config)# exit
5506# wr mem

After a restart (just to be sure) I still cannot connect from my Mac:

bash>ssh jimmy@10.192.168.1
Unable to negotiate with 10.192.168.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
bash>

Let´ see how the SSH negotiation looks like. It is Wireshark´O-clock!

This image (click for larger version) shows that the ASA requests DH group 1 with sha1 as the only acceptable protocol for key exchange:

 

Wireshark screendump of packet sent from ASA to the client containing the SSH Key exchange offer

Wireshark screendump of packet sent from ASA to the client containing the SSH Key exchange offer

And this image (click for a larger version) shows the reply from the client which is a bit more flexible, offering a lot of different protocols for key exchange, including “diffie-hellman-group-exchange-sha1” which sounds pretty close to “diffie-hellman-group1-sha1” if you ask me.

 

Reply packet from client to ASA

Reply packet from client to ASA

If someone can tell me the difference between “diffie-hellman-group-exchange-sha1” and “diffie-hellman-group1-sha1”, please write a comment. In the meantime while waiting for Cisco to update the ssh protocol suite in the ASA, use the workaround-parameter stated above.

 

Update:

Cisco have noticed, waiting for more feedback…

 

Update2: An answer from Ciscos supportforum:

 

screenshot-2016-12-02-18-58-58

 

It seems that this is unresolved from Ciscos side right now…

Tagged with: , , , , , , , , , ,
Posted in Cisco Networking, Cisco Security
14 comments on “SSH to Cisco ASA fails, unable to negotiate, no matching key exchange method found.
  1. Hakan Nohre says:

    Hi Jimmy,
    Please try ssh key-exchange group dh-group14-sha1,
    I tried it on my ASA running 9.6.2 and it worked fine.
    Regards
    Hakan Nohre

  2. Harambe says:

    If you’re tired of writing the flag, you can create an SSH config file on your Mac:

    vi ~/.ssh/config

    And add this line:
    KexAlgorithms +diffie-hellman-group1-sha1

  3. here says:

    I just tried this under asa5505 9.2(4)22 and it worked great!

    default was:
    ssh key-exchange group dh-group1-sha1

    change to:
    ssh key-exchange group dh-group14-sha1

    Thank so much!!
    -here

  4. FirstRussell says:

    I see you don’t monetize your blog, don’t waste your traffic, you can earn extra cash every month because you’ve got hi quality content.

    If you want to know how to make extra money, search for: Boorfe’s tips best adsense alternative

  5. LastMellisa says:

    I have noticed you don’t monetize your website, don’t waste your
    traffic, you can earn additional cash every month because you’ve got high quality
    content. If you want to know how to make extra $$$, search for: Mertiso’s tips best adsense alternative

  6. adriano epifas says:

    For this to work without decreasing the level of security in the SSH client, change the key exchange group in ASA:
    # ssh key-exchange group dh-group14-sha1

    That is one of the default Kex (key exchange) algorithms for ssh client (at least for OpenSSH). Confirm the default ones in ssh_config and you will see group14 is there

  7. Leatha says:

    have a nice day

  8. Like!! I blog quite often and I genuinely thank you for your information. The article has truly peaked my interest.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test