Cannot ssh into cisco switch: Invalid key length
Solution 1
openssh refuses the key length less than 1024 bits starting 7.6. https://www.openssh.com/txt/release-7.6
If you use ubuntu, you can install openssh-client-ssh1, then use ssh1 command instead of ssh.
sudo apt install openssh-client-ssh1
Solution 2
If your getting the "Invalid key length" error, the problem isn't your Ciphers (that may be it's own problem, but if you're getting a key, SSH has agreed to a Cipher)
I read the CISCO documentation of enabling/disabling SSH/Telnet here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_0110.pdf
If your still getting a "invalid key length", your Cisco switch/router is still serving up the old (short) key. Here's what I had to do: 1) Enable Telnet (feature telnet) OR 1) Use a console cable 2) Login (console or telnet) 3) Disable SSH (no feature ssh) 4) Re-create the SSH Key (ssh key rsa 2048 force) Note: Other blogs use the crypto key modules command, that did not help 5) Enable SSH (feature ssh) 6) Bingo... no changes to my High Sierra ssh_config file and I'm working.
Hope it helps...
Solution 3
Had the same issue and it was because of a key length of 768bit. To verify that you are really using your 2048bit key:
ssh-keyscan <router|switch-ip> > rkey.txt
ssh-keygen -lf rkey.txt
This will tell you the actual key length.
Solution 4
I get into mine with:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc username@3750g
It selects the right key and cipher.
Charles
Solution 5
if ssh -c aes192-cbc IP_YOUR_DEVICE not work. Try run ubuntu 12.04 on vagrant or if it's to hard, run ubuntu on virtualbox. Then connect to your vbox and then to your device. If your device support server private key regeneration, do it with size 2048bit. After that try connect from your host machine. Tested with dfl-860e. if your device don't support private key regeneration with custom params, you can use ssh ProxyCommand
here example my ssh config file with vagrant
Host vagrant
HostName 127.0.0.1
User vagrant
Port 2222
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile DIR_WHERE_VAGRANTFILE/.vagrant/machines/default/virtualbox/private_key
IdentitiesOnly yes
LogLevel FATAL
Host dlink
port 22
User YOUR_USER_NAME_ON_DEVICE
Ciphers aes128-cbc
ProxyCommand ssh vagrant nc -q0 IP_YOUR_DEVICE %p
Related videos on Youtube
Comments
-
Mebus almost 2 years
For some reason I cannot ssh into a Cisco Catalyst C3750 Switch. This is the error message, that I get:
ssh_dispatch_run_fatal: Connection to 192.168.7.6 port 22: Invalid key length
This is the SSH config, that I am using:
Host 192.168.7.6 IdentitiesOnly yes KexAlgorithms=+diffie-hellman-group1-sha1
My SSH-Version is:
OpenSSH_7.6p1, OpenSSL 1.1.0h-fips 27 Mar 2018
I already ran:
crypto key generate rsa
on the switch and generated a 2048 length key, but this did not help. I also reloaded the switch.
Thanks
-
Harrison Gibbs almost 6 yearsPossible that the old key is still in there? Check with show crypto key mypubkey rsa, if so try crypto key zerosize rsa and then regenerate.
-
-
Mebus about 6 yearsThis doesn't wok and results in the same error.
-
codenaugh over 4 yearsFor CN2960 switches, use
crypto key generate rsa
-
reinierpost over 3 yearsThis works only if your ssh client is old enough. There seems to be no option to reduce the mimimal key size accepted.