SSH login with newer OpenSSH versions #
Newer SSH versions, e.g. OpenSSH 8.4p1 of Ubuntu 20.10, are more restrictive on the key exchange algorithms they allow for connecting to servers because these algorithms are weak from a todays point of view, see OpenSSH Legacy documentation for details. At least for my SG350X, I hope that there will be a firmware update in the future providing support of modern SSH key exchange algorithms.
Nevertheless, it’s my local network and it is quite safe. So you just need to configure an exception for these hosts to use the older algorithmens. That’s achieved by adding them to your ~/.ssh/config file:
host sg300-kg-server
KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
user cisco
Current software releases installed on my switches #
| Hostname | Model | Installed version (build date) | Most current version |
|---|---|---|---|
| sg350-kg-1 | SG350X-24P-K9 | 2.5.8.15 (2021-11-16) | 2.5.8.15 (2021-11-16) |
| sg300-kg-server | SG300-20 | 1.4.11.5 (2020-04-08) | 1.4.11.5 |
| sg300-dg-1 | SG300-10P | 1.4.11.5 (2020-04-08) | 1.4.11.5 |
Configuring SSH public key authentication #
Enable SSH and SSH pubkey-authentication with automated login:
sg350-kg-1#configure
sg350-kg-1(config)#ip ssh server
sg350-kg-1(config)#ip ssh pubkey-auth auto-login
sg350-kg-1(config)#crypto key pubkey-chain ssh
Next, configure the pubkey of type rsa for the user cisco. You can directly copy the base64 encoded pubkey from your OpenSSH format id_rsa.pub file without the preceding key-type and the trailing comment.
sg350-kg-1(config-pubkey-chain)#user-key cisco rsa
sg350-kg-1(config-pubkey-key)#key-string
.. enter your pubkey here and terminate with an extra newline
Fingerprint: MD5:a0:d2:d1:a8:dc:47:35:24:d2:f2:f0:b6:c8:8d:df:6b
sg350-kg-1(config-pubkey-key)#exit
sg350-kg-1(config-pubkey-chain)#exit
sg350-kg-1(config)#exit