Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot SSH to ScreenOS device from an External Device



Article ID: KB16978 KB Last Updated: 21 Sep 2020Version: 3.0

Cannot SSH to ScreenOS device from an external device such as a Cisco Switch.


When attempting to SSH to a ScreenOS device from an external device such as a Cisco switch, the following error is reported in the logs:

Event Log on ScreenOS device (NetScreen):

system error 00528 SSH: Failed to negotiate host key algorithm with host x.x.x.x.

Cisco Switch Log:

SSH2 CLIENT 0: hostkey algo not supported: client ssh-rsa, server ssh-dss
Cisco client is using SSH-RSA , and ScreenOS device is using SSH-DSA (same as DSS).

ScreenOS supports SSH-RSA in SSHv1, and it supports SSH-DSA in SSHv2.  

To find the version of the SSH and see the algorithm being used, run the following commands:

Example 1 DSA key:
get ssh

SSH V2 is active
SSH is NOT enabled
SSH is NOT ready for connections
Maximum sessions: 24
Active sessions: 0

get ssh host-key

DSA fingerprint:
finger_print = 37:23:74:ba:4c:a5:91:d1:ea:4e:a2:a8:46:58:4e:b1

Example 2 RSA Key:
get ssh

SSH V1 is active
SSH is enabled
SSH is ready for connections
Key regeneration time: 60 minutes
Maximum sessions: 24
Active sessions: 0

get ssh host-key

Length: 1024
Exponent: 65537

Key ID: 0F96C0C2EE54B93A1BB6

RSA1 key fingerprint:

In order to resolve this issue, the algorithm has to match. Therefore either set the firewall to SSHv1 or SSHv2 to match the Cisco unit, or you set the Cisco unit to match the firewall.

To change to SSHv1 you run the following commands:

delete ssh device all   (removes all SSH)
set ssh version v1  
set ssh enable

Another possible reason for ssh to fail is because newer ssh clients are rejecting weak ciphers that the ScreenOS device uses.  ScreenOS device uses 3des-cbc encryption, diffie-hellman-group1-sha1, and ssh-dss.  To force these parameters on an ssh session, using openssh, use the following syntax:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c 3des-cbc netscreen@a.b.c.d

where a.b.c.d represents the IP address you are trying to ssh to.

Modification History:
2020-09-21: Added another reason for ssh to fail in the solution.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search