SSH algorithms on IOS/XE

[ipspace]

Looks like the initial device configuration on IOS/XE devices (Cat8Kv, CSR) might be the root cause for #2966)

FWIW, here are the SSH algorithms on Cisco IOL (Linux Software (X86_64BI_LINUX-ADVENTERPRISEK9-M), Version 17.16.1a)

r#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KEX Algorithms:curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512

And here's Catalyst 8000v:

r#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-512
KEX Algorithms:curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): r.example.com

Both have modern ciphers, so we might have a problem with initial device configuration. As we have to deal with IOSv anyway, I'll leave this as-is and open another issue for the cipher selection challenge.

Originally posted by @ipspace in #2966

[DanPartelly]

Madmen toil surreptitiously to beckon (the moon) an algebra on interfaces, to no avail. (I'm one of those madmen) There is no orthogonality without algebras. Algebras are the only things that compose directly. The rest is luck. And algebras are made impossible by the crap software developers do nowadays.

I'm very tempted to start offering a server Linux appliance image for netlab, which has all the X and Y dotted, and you can just slap it on your server or on your VM, and start enjoying the software. I'm not really there yet, but it would be really simple and efficient. Gonna see what the next year brings.

[ipspace]

I'm very tempted to start offering a server Linux appliance image for netlab, which has all the X and Y dotted, and you can just slap it on your server or on your VM, and start enjoying the software.

That would be absolutely awesome.

Gonna see what the next year brings.

I'm hoping for the best ;)

[ipspace]

Checked the key exchange with Catalyst 8000v (VM) and IOL (container). They both propose only more-recent algorithms, and the negotiated algorithms are OK. We could drop the netlab_ssh_args for everything but IOSv/IOSvL2, but it doesn't matter anyway.

Unfortunately, I don't think IOSv will die anytime soon. Unless you have an IOL image, it's the fastest and leanest way to get a Cisco lab up and running.