Can not SSH to a router or switch in to GNS3

[DanialDelshad]

I cant SSH into GNS3 with this ERROR

By the way I use Shell and edit sshd_config & sshconfig in etc directory but the problem until existed!!!

Unable to negotiate with 192.168.149.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

[josephmhiggins]

it is much easier to properly configure the remote and local, then it is to troubleshoot the problem, i.e. copy and paste someone else's configuration.
what operating system and ssh application name are you initiating a transfer from and what is the operating system (i.e. router vendor and os version) you are trying to ssh into?

[ghost]

@DanialDelshad

This is NOT an issue of GNS3. This is caused by the ancient implementation of SSH in the router, that is by default no longer supported by the SSH in the desktop OS, because these old cipher algorithms are no longer secure. But the SSH on the desktop OS can be configured to support these old algorithms, so you can connect to the router.

Here a log on my system:

root@debterm-1:~# ssh -l danial 10.1.1.1
Unable to negotiate with 10.1.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

This simply means, that the SSH partner, my cisco IOSv router, supports only the key exchange methods diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1, which were not used by my linux host. So I have to add an option to my host ssh to support one of these key exchange methods. I choose the first one, diffie-hellman-group-exchange-sha1.

root@debterm-1:~# ssh -l danial -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 10.1.1.1
Unable to negotiate with 10.1.1.1 port 22: no matching host key type found. Their offer: ssh-rsa

This time the key exchange doesn't issue an error, it seems to work. But the host key type is not compatible, the router expects ssh-rsa. So I will add another option to allow that.

root@debterm-1:~# ssh -l danial -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 -oHostKeyAlgorithms=+ssh-rsa 10.1.1.1
The authenticity of host '10.1.1.1 (10.1.1.1)' can't be established.
RSA key fingerprint is SHA256:rPjxyreOdpfcCsxt6V+zqjRZJ8DafFEIRWX4XU2IBPY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.1.1' (RSA) to the list of known hosts.
([email protected]) Password: 
IOSv-1#
IOSv-1#exit
Connection to 10.1.1.1 closed.

This time the connection works.

But adding these options is unconvenient, I suggest to add these options to a configuration file. On Linux there is the global configuration /etc/ssh/ssh_config and the user specific configuration ~/.ssh/config. In the following I set the options only for my router in the local configuration. But these options can also be enabled for all hosts. Have a look at the ssh documentation, how to configure SSH on your system.

root@debterm-1:~# mkdir -p ~/.ssh
root@debterm-1:~# cat >> ~/.ssh/config
Host 10.1.1.1
	KexAlgorithms +diffie-hellman-group-exchange-sha1
	HostKeyAlgorithms +ssh-rsa

root@debterm-1:~# 

Now I can connect to the router without specifying these options on the command line:

root@debterm-1:~# ssh -l danial 10.1.1.1
([email protected]) Password: 
IOSv-1#