Thursday, May 04, 2017

Net::SSH2 Upgrade Access to Cisco

I upgraded my Strawberry Perl to 5.24 and my GNS3 test lab for SSH access via CRAPPS suddenly didn't work.

Knowing the Perl version changed, I checked and the Net::SSH2 version changed (0.58 to 0.63). Troubleshooting was pretty easy - just a quick Perl script to open a connection and die on failure with error:

#!perl
use strict;
use warnings;
use Net::SSH2;

my $ssh2 = Net::SSH2->new();
$ssh2->connect('10.254.254.1') or $ssh2->die_with_error;
print "Success\n";

The error was: Unable to exchange encryption keys (-8 LIBSSH2_ERROR_KEY_EXCHANGE_FAILURE). OK, so I said troubleshooting was easy ... the solution ... maybe not so much?

I figured it was a key exchange error (obviously), but how to go about fixing it? Was it a bug in Net::SSH2 XS code? I turned on debugging on the router:

R1# debug ip ssh

I tried to connect again and got a flood of debug info, the most useful being the last few lines:

May 4 22:06:06.987: SSH2 1:  Invalid modulus length 
May 4 22:06:06.991: SSH2: Session disconnected - error 0x00 

A bit of Google magic and I found I should set the Diffie–Hellman minimum size larger, so I tried:

R1# config term
R1(config)# ip ssh dh min size 2048

It worked! Connections now worked with the new Net::SSH2 version, but would this break the old one? I switched to an older version of Perl installed on my system with Net::SSH2 0.58 and tried. It too worked! I'll keep the DH 2048 minimum size in my default configuration from now on.

No comments :

 

Copyright © VinsWorld. All Rights Reserved.