Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot SSH to ScreenOS device from a Cisco Switch

0

0

Article ID: KB16978 KB Last Updated: 19 Mar 2012Version: 2.0
Summary:
Cannot SSH to ScreenOS device from a Cisco Switch.
Symptoms:
When attempting to SSH to a ScreenOS device from a Cisco switch, the following error is reported in the logs:

Event Log on ScreenOS device (NetScreen):

system error 00528 SSH: Failed to negotiate host key algorithm with host x.x.x.x.

Cisco Switch Log:

SSH2 CLIENT 0: hostkey algo not supported: client ssh-rsa, server ssh-dss
Solution:
Cisco client is using SSH-RSA , and ScreenOS device is using SSH-DSA (same as DSS).

ScreenOS supports SSH-RSA in SSHv1, and it supports SSH-DSA in SSHv2.  

To find the version of the SSH and see the algorithm being used, run the following commands:

Example 1 DSA key:
get ssh

SSH V2 is active
SSH is NOT enabled
SSH is NOT ready for connections
Maximum sessions: 24
Active sessions: 0



get ssh host-key

DSA fingerprint:
finger_print = 37:23:74:ba:4c:a5:91:d1:ea:4e:a2:a8:46:58:4e:b1

Example 2 RSA Key:

get ssh

SSH V1 is active
SSH is enabled
SSH is ready for connections
Key regeneration time: 60 minutes
Maximum sessions: 24
Active sessions: 0



get ssh host-key

Length: 1024
Exponent: 65537
Modulus:


Key ID: 0F96C0C2EE54B93A1BB6

RSA1 key fingerprint:
15:07:33:d4:16:39:2b:cb:90:3b:4d:1d:b3:ef:67:22

In order to resolve this issue, the algorithm has to match. Therefore either set the firewall to SSHv1 or SSHv2 to match the Cisco unit, or you set the Cisco unit to match the firewall.

To change to SSHv1 you run the following commands:

delete ssh device all   (removes all SSH)
set ssh version v1  
set ssh enable


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search