We have discovered a problem with connecting to a new Cisco catalyst L3 devices from the Spectrum OneClick console. Normally we can right-click on the device and open a secure shell connection to it. However we have found that the connection to the new new device is closed after failing authentication.
We can see from the log on the device that the ssh connection failed to negotiate a common SSH2 MAC algorithm for the connection. This newer device only allows hmac-sha2-256, hmac-sha2-512, hmac-sha2-256-etm@openssh.com and hmac-sha2-512-etm@openssh.com.
Is there a way to add these newer, more secure MAC algorithms into spectrum, to allow this connection?
Will a later version of Spectrum have a different range of SSH MACs?
Cisco devices running older IOS versions, like 17.6.5 utilize hmac-sha2-512 hmac-sha2-256 while devices running 17.12.3 use encryption aes256-ctr aes256-gcm aes192-ctr aes128-gcm aes128-ctr
Add the updated ciphers to the ssh_config
1. From a bash prompt, navigate to /etc/
on windows -- C:\win32app\Spectrum\NT-Tools\SRE\etc\ssh_config
on linux - /etc/ssh_config
2. vi /etc/ssh_config file
3. Add the MAC's in MAC line (if commented (#), uncomment it).
4. Update the config on the device to have the encryption:
ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr aes256-gcm aes192-ctr aes128-gcm aes128-ctr
If using jsch, upgrade to NetOps Spectrum 22.2.7 or greater as the jcsh library was updated to support hmac-sha2
With regards to the use of sha1 by NCM:
From the logs, the server is replying saying they support a strong algorithm like hmac-sha2-256,hmac-sha2-512, we are using only hmac-sha1. The reason for this is the jsch library that we are using only supports hmac-sha1 and hmac-sha1-96. Presently, the jsch version that we are using is 1.54. Fortunately, jsch added support for hmac-sha2-256 in version 1.55.
Spectrum has upgraded jsch to 1.55 as part of Spectrum 22.2.7 so this issue will no longer occur from release 22.2.7 onwards.
To troubleshoot the SSH handshake.
From the SpectroServer bash prompt, try to connect to the device using the below command in debug mode.
ssh -vvv <username>@<problematic IP>
This will print the connection handshaking debug state which gives the exact idea why it is failing.