Cisco SSH session fails with error "ssh: handshake failed: ssh: no common algorithm for key exchange"
Summary
When launching a Cisco SSH activity through Netwrix Privilege Secure, the session fails with:
ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh -sha2-nistp521 diffie-hellman-group14-sha1], server offered: [diffie-hellman-group1-sha1]
Issue
The SSH Key Exchange and Ciphers supported by the switch are older than the defaults used by the proxy, so Netwrix Privilege Secure cannot connect with out-of-the-box settings.
Instructions
Modify the Netwrix Privilege Secure proxy server's sbpam_ssh.json file to include the required Key Exchange algorithms and ciphers.
-
Log in to Windows on the Netwrix Privilege Secure proxy server.
-
Open an administrative PowerShell and run the following commands (where
C:\is the drive Netwrix Privilege Secure is installed to):
cd "C:\Program Files\Stealthbits\PAM\ProxyService"
./sbpam-proxy.exe cfg -c sbpam_ssh
- Open File Explorer and browse to:
C:\ProgramData\Stealthbits\PAM\ProxyService
- Open
sbpam_ssh.jsonin a text editor, and replace its contents with the following JSON (this will overwrite any previous configurations in this file, if present):
{
"listenaddress": "0.0.0.0:4422",
"ClientSettings": {
"Algorithms": {
"KeyExchanges": [
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group14-sha1",
"diffie-hellman-group1-sha1"
],
"Ciphers": [
"aes128-gcm@openssh.com",
"chacha20-poly1305@openssh.com",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-cbc",
"3des-cbc",
"aes192-cbc",
"aes256-cbc"
]
}
}
}
- Save
sbpam_ssh.jsonand close the editor. Provision the SSH session again in Netwrix Privilege Secure and verify that the SSH session can successfully log in to the Cisco device.