H3C switches cannot be logged in to HW switches over SSH

1. We test that other devices can use SSH to log in to HW switches. This indicates that the SSH service of  HW   switches is normal

2.  HW   switches do not restrict the source IP addresses for SSH login

3. H3C switches and  HW   switches are deployed in the same Layer 2 environment and do not have security devices or packet filtering devices to intercept SSH packets

4. When logging in to H3C switch as a client, enable debug to check SSH negotiation process:

-----------------------------

debugging ssh client all

t  d

t  m

ssh2 10.*.*.11

Username: admin

Press CTRL+C to abort.

Connecting to 10.*.*.11 port 22.

*Jan 31 15:24:18:590 2022 H3C SSHC/7/EVENT: -COntext=1; Connection established.

*Jan 31 15:24:18:592 2022 H3C SSHC/7/EVENT: -COntext=1; Remote protocol version 2.0, remote software version  HW   -1.5

*Jan 31 15:24:18:592 2022 H3C SSHC/7/EVENT: -COntext=1; Enabling compatibility mode for protocol 2.0

*Jan 31 15:24:18:593 2022 H3C SSHC/7/EVENT: -COntext=1; Get self version string Comware-7.1.064

*Jan 31 15:24:18:593 2022 H3C SSHC/7/EVENT: -COntext=1; Local version string SSH-2.0-Comware-7.1.064

*Jan 31 15:24:18:593 2022 H3C SSHC/7/MESSAGE: -COntext=1; Prepare packet[20].

*Jan 31 15:24:18:600 2022 H3C SSHC/7/MESSAGE: -COntext=1; Received packet type 20.

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Received SSH2_MSG_KEXINIT.

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; My proposal kex:// The algorithmic capability set we support

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(0): diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-dss,ssh-rsa

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(2): aes128-cbc,aes256-cbc,3des-cbc,des-cbc

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(3): aes128-cbc,aes256-cbc,3des-cbc,des-cbc

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(4): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(5): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(6): none,zlib,zlib@openssh.com

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(7): none,zlib,zlib@openssh.com

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(8):

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(9):

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Peer proposal kex:  // Algorithm capability set supported by  HW   devices

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(0): diffie-hellman-group14-sha1

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-rsa

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(2): aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(3): aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(4): hmac-sha2-256

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(5): hmac-sha2-256

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(6): none

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(7): none

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(8):

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(9):

%Jan 31 15:24:18:601 2022 H3C SSHS/6/SSHS_ALGORITHM_MISMATCH: -COntext=1; SSH client 10.*.*.11 failed to log in because of Message Authentication code (MAC) algorithm mismatch.

*Jan 31 15:24:18:601 2022 H3C SSHC/7/ERROR: -COntext=1; No matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 server hmac-sha2-256

----------The login fails because the algorithms on the client and server do not match

u t m

u t d

undo debugging all

1. Due to the old VERSION of H3C switch, the client cannot be adjusted to support more algorithms through commands

2. The version of  HW   switch on the server has been updated. You can adjust the existing algorithm of the compatible H3C switch by running commands

3. Add the following configuration for  HW   switches:

sys

[HW]ssh server secure-algorithms cipher 3des aes128 aes256_cbc aes128_ctr aes256_ctr

[HW]ssh server secure-algorithms hmac md5 md5_96 sha1 sha2_256 sha1_96 sha2_256_96

ssh2 10.*.*.11

Username: admin

Press CTRL+C to abort.

Connecting to 10.*.*.11 port 22.

The server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

admin@10.*.*.11"s password:

Enter a character ~ and a dot to abort.

Warning: The password will expire in 17 days.

The password needs to be changed. Change now? [Y/N]: n

  -----------------------------------------------------------------------------    

  User last login information:    

  -----------------------------------------------------------------------------

  Access Type: SSH     

  IP-Address : 10.*.*.1    

  Time       : 2022-01-31 15:20:28+08:00    

  -----------------------------------------------------------------------------