Comware

 View Only
last person joined: 4 days ago 

Back to discussions
Expand all | Collapse all

HPE 5900AF SSH failes to connect

This thread has been viewed 70 times

  • 1.  HPE 5900AF SSH failes to connect

    Posted Nov 18, 2021 07:13 AM
    Had to redo the PKI, so deleted all keys, certificates etc

    Have the SSL back with proper issued certificate (offline, because the online SCEP way is just pants!), but completely lost SSH

    dsa/rsa keys got re-created, server is enabled, but all I get from a client is instant disconnect!

    On the switch (console connection) I get:

    >%Nov 18 11:41:10:815 2021 HPE5900-SR1 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.6.2) disconnected from the server.

    [HPE5900-SR1]dis ssh server status
 Stelnet server: Enable
 SSH version : 1.99
 SSH authentication-timeout : 60 second(s)
 SSH server key generating interval : 0 hour(s)
 SSH authentication retries : 3 time(s)
 SFTP server: Disable
 SFTP Server Idle-Timeout: 10 minute(s)
 NETCONF server: Disable
 SCP server: Disable
​

    In the config all I have SSH related is:
    ssh server enable

line vty 0 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
 
 local-user manager class manage
  password hash ********
 service-type ssh http https
​

    ssh2 is at default

    [HPE5900-SR1]dis ssh2 algorithm
 Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1
 Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 rsa dsa
 Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm aes128-cbc 3des-cbc aes256-cbc des-cbc
 MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96​


    Anybody any ideas?

    Thanks

    Seb



  • 2.  RE: HPE 5900AF SSH failes to connect

    EMPLOYEE
    Posted Nov 18, 2021 08:26 AM
    Hi Seb,

    Do you get password prompt from the switch or SSH connection just drops right away?

    TBH, I don't like username (null) in the  ">%Nov 18 11:41:10:815 2021 HPE5900-SR1 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.6.2) disconnected from the server." message. Did you delete it before posting your question on the forum or the message literally says (null)? If the latter is our case, I guess you need to check your SSH client if it sends correct username.

    Also, how your default domain and radius-scheme configurations look like? Could you share those details as well?




    Original Message


  • 3.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 18, 2021 09:49 AM
    Drops instantly, no window ever comes for input

    The line is exactly as is (with (null)

    No detail of domain and/or radius changed (it works fine for HTTP)

    radius scheme nps
 primary authentication aa.bb.cc.dd key cipher ********************
 primary accounting aa.bb.cc.dd
 key authentication cipher ********************
 key accounting cipher ********************
 user-name-format without-domain

​radius scheme system
 user-name-format without-domain
#
domain mydomain
 authentication login radius-scheme nps local
 authorization login radius-scheme nps local
 accounting login radius-scheme nps local
#
domain system
#
 domain default enable mydomain

    Original Message


  • 4.  RE: HPE 5900AF SSH failes to connect

    EMPLOYEE
    Posted Nov 18, 2021 10:59 AM
    Since connections fail before having a chance to transmit the username, it must be some issue related to encryption. Either it's lack of local keys or encryption protocol mismatch. We have output from 'display ssh2 algorithm' and it looks ok, so my main suspect is public-key or keys.
    Let's check the output from 'display public-key local public', you need to have RSA and/or DSA key generated. You can check each type separately with 'display public-key local rsa public' and 'display public-key local dsa public'. 

    Another idea - if you generated keys after enabling the SSH server, maybe you could try 'undo ssh server enable / ssh server enable' to toggle SSH service and force it to re-read new parameters if it got stuck due to some reason...

    ------------------------------
    Best regards,
    Ivan
    ------------------------------

    Original Message


  • 5.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 19, 2021 10:59 AM
    Key name: dsakey(default)
    Key type: DSA
    Time when key pair created: 09:52:42 2021/11/18
    Key code:

    3082034630820......


    Key name: mykey
    Key type: RSA
    Time when key pair created: 09:38:16 2021/11/18
    Key code:

    30820122300D06092A8.....

    I have disabled/enabled/re-disabled/re-enabled

    None makes difference, disconnects instantly
    RSA key is used for SSL (and that works perfectly fine)

    Seb



    Original Message


  • 6.  RE: HPE 5900AF SSH failes to connect

    EMPLOYEE
    Posted Nov 19, 2021 01:31 PM
    I can sort of reproduce the issue if my SSH client remembers the old key of the switch and if I generate a new RSA key in the switch, then SSH client fails to authenticate the server (switch) because of public keys mismatch. And as a result of such interrupted session attempt I also get (null) username in the SSHS_DISCONNECT message. Here is the result of 'debugging ssh server all' running on the switch when such client attempts to connect (10.0.0.2 is SSH client, 10.0.0.1 is the switch):

    [SW2]*Jan 11 00:34:34:776 2011 SW2 SSHS/7/EVENT: Start new child 12475.
*Jan 11 00:34:34:787 2011 SW2 SSHS/7/EVENT: Connection from 10.0.0.2 port 32130
*Jan 11 00:34:34:818 2011 SW2 SSHS/7/EVENT: Client protocol version 2.0, client software version Comware-7.1.070
*Jan 11 00:34:34:818 2011 SW2 SSHS/7/EVENT: Enabling compatibility mode for protocol 2.0
*Jan 11 00:34:34:818 2011 SW2 SSHS/7/EVENT: Local version string SSH-2.0-Comware-7.1.070
*Jan 11 00:34:34:819 2011 SW2 SSHS/7/EVENT: Pki-domain-name is not configure.
*Jan 11 00:34:34:819 2011 SW2 SSHS/7/EVENT: Pki-domain-name is not configure.
*Jan 11 00:34:34:820 2011 SW2 SSHS/7/EVENT: Hostkey string is : ssh-rsa
*Jan 11 00:34:34:821 2011 SW2 SSHS/7/MESSAGE: Prepare packet[20].
*Jan 11 00:34:34:821 2011 SW2 SSHS/7/MESSAGE: Received packet type 20.
*Jan 11 00:34:34:821 2011 SW2 SSHS/7/EVENT: Received SSH2_MSG_KEXINIT.
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: My proposal kex:
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(0): ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(1): ssh-rsa
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(2): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(3): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(4): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(5): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(6): none,zlib,zlib@openssh.com
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(7): none,zlib,zlib@openssh.com
*Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(8):
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(9):
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Peer proposal kex:
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(0): ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(1): x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(2): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(3): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(4): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(5): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(6): none,zlib,zlib@openssh.com
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(7): none,zlib,zlib@openssh.com
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(8):
*Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(9):
*Jan 11 00:34:34:824 2011 SW2 SSHS/7/EVENT: Kex: client->server, Encrypt: aes128-ctr, HMAC: hmac-sha2-256, Compress: none
*Jan 11 00:34:34:825 2011 SW2 SSHS/7/EVENT: Kex: server->client, Encrypt: aes128-ctr, HMAC: hmac-sha2-256, Compress: none
*Jan 11 00:34:34:832 2011 SW2 SSHS/7/EVENT: Expecting packet type 30.
*Jan 11 00:34:34:832 2011 SW2 SSHS/7/MESSAGE: Received packet type 30.
*Jan 11 00:34:34:839 2011 SW2 SSHS/7/MESSAGE: Prepare packet[31].
*Jan 11 00:34:34:842 2011 SW2 SSHS/7/MESSAGE: Prepare packet[21].
*Jan 11 00:34:34:842 2011 SW2 SSHS/7/EVENT: Set new keys: mode=1
*Jan 11 00:34:34:842 2011 SW2 SSHS/7/EVENT: Expecting packet type 21.
%Jan 11 00:34:34:844 2011 SW2 SSHS/6/SSHS_LOG: Connection closed by 10.0.0.2.
%Jan 11 00:34:34:845 2011 SW2 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.0.2) disconnected from the server.

​

    You can enable same debugging and check if the situation is similar. Maybe in your case it will be a different error, but at this time debugging seems to be the next step anyways:

    # Enable monitoring and debugging output to the current VTY session. The commands below should be executed from the user-view.
terminal monitor
terminal debugging

# Enable SSH Server debugging - messages, errors and events.
debugging ssh server all

# Attempt to connect from SSH client to the switch.

# Disable the debugging.
undo debugging all

​

    Also it's a good idea to try different SSH client to avoid any public key caching issues.



    ------------------------------
    Ivan Bondar
    ------------------------------

    Original Message


  • 7.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 22, 2021 04:45 AM

    Getting the same:

    How to get it back to normal state?

    I can clear local key from Putty, but it makes no difference

    <HPE5900-SR1>debugging ssh server all
<HPE5900-SR1>*Nov 22 09:38:53:553 2021 HPE5900-SR1 SSHS/7/EVENT: Start new child 2112998.
*Nov 22 09:38:53:559 2021 HPE5900-SR1 SSHS/7/EVENT: Connection from 10.0.6.2 port 3939
*Nov 22 09:38:53:562 2021 HPE5900-SR1 SSHS/7/EVENT: Client protocol version 2.0, client software version PuTTY_Release_0.67
*Nov 22 09:38:53:563 2021 HPE5900-SR1 SSHS/7/EVENT: Enabling compatibility mode for protocol 2.0
*Nov 22 09:38:53:563 2021 HPE5900-SR1 SSHS/7/EVENT: Local version string SSH-1.99-Comware-7.1.045
*Nov 22 09:38:53:563 2021 HPE5900-SR1 SSHS/7/EVENT: Pki-domain-name is not configure.
*Nov 22 09:38:53:563 2021 HPE5900-SR1 SSHS/7/EVENT: Pki-domain-name is not configure.
*Nov 22 09:38:53:568 2021 HPE5900-SR1 SSHS/7/EVENT: Hostkey string is : ssh-dss
*Nov 22 09:38:53:568 2021 HPE5900-SR1 SSHS/7/MESSAGE: Prepare packet[20].
*Nov 22 09:38:53:569 2021 HPE5900-SR1 SSHS/7/MESSAGE: Received packet type 20.
*Nov 22 09:38:53:569 2021 HPE5900-SR1 SSHS/7/EVENT: Received SSH2_MSG_KEXINIT.
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: My proposal kex:
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(0): ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-s                  ha1,diffie-hellman-group1-sha1
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(1): ssh-dss
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(2): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc                  ,des-cbc
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(3): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc                  ,des-cbc
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(4): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(5): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(6): none,zlib,zlib@openssh.com
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(7): none,zlib,zlib@openssh.com
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(8):
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(9):
*Nov 22 09:38:53:571 2021 HPE5900-SR1 SSHS/7/EVENT: Peer proposal kex:
*Nov 22 09:38:53:572 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(0): diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sh                  a1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1
*Nov 22 09:38:53:572 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(1): ssh-rsa,ssh-dss
*Nov 22 09:38:53:572 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(2): aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blo                  wfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
*Nov 22 09:38:53:572 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(3): aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blo                  wfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
*Nov 22 09:38:53:572 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(4): hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5
*Nov 22 09:38:53:572 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(5): hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5
*Nov 22 09:38:53:573 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(6): none,zlib
*Nov 22 09:38:53:573 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(7): none,zlib
*Nov 22 09:38:53:573 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(8):
*Nov 22 09:38:53:573 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(9):
*Nov 22 09:38:53:573 2021 HPE5900-SR1 SSHS/7/EVENT: Kex: client->server, Encrypt: aes256-ctr, HMAC: hmac-sha2-256, Compress: none
*Nov 22 09:38:53:574 2021 HPE5900-SR1 SSHS/7/EVENT: Kex: server->client, Encrypt: aes256-ctr, HMAC: hmac-sha2-256, Compress: none
*Nov 22 09:38:53:575 2021 HPE5900-SR1 SSHS/7/MESSAGE: Received packet type 34.
*Nov 22 09:38:53:576 2021 HPE5900-SR1 SSHS/7/EVENT: Received SSH2_MSG_KEX_DH_GEX_REQUEST.
*Nov 22 09:38:53:577 2021 HPE5900-SR1 SSHS/7/MESSAGE: Prepare packet[31].
*Nov 22 09:38:53:824 2021 HPE5900-SR1 SSHS/7/EVENT: Expecting packet type 32.
*Nov 22 09:38:53:825 2021 HPE5900-SR1 SSHS/7/MESSAGE: Received packet type 32.
*Nov 22 09:38:54:026 2021 HPE5900-SR1 SSHS/7/ERROR: Fatal error occurs: unexpected internal error.
%Nov 22 09:38:54:026 2021 HPE5900-SR1 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.6.2) disconnected from the server.
​


    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 8.  RE: HPE 5900AF SSH failes to connect

    EMPLOYEE
    Posted Nov 22, 2021 06:15 AM
    In your case SSH fails on a different stage. Server gets SSH2_MSG_KEX_DH_GEX_REQUEST message from the client and should send SSH_MSG_KEX_DH_GEX_GROUP to start Diffie-Hellman key exchange, but fails to do so bailing out with 'unexpected internal error'. Typically it happens when there is any issue with public-key.

    What is s/w version your 5900 is running and how long are RSA and DSA keys?
    Could you check if 5900 didn't record peer's public keys by 'display public-key peer'?

    BTW, we can check if the issue is somehow related to the client by initiating a reverse SSH session to the localhost. Try from the 5900 itself 'ssh 127.0.0.1' and try to login. If login is successful, check 'display ssh server session' session's details to ensure it works.

    ------------------------------
    Ivan Bondar
    ------------------------------

    Original Message


  • 9.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 22, 2021 07:42 AM
    No peer key

    Reverse SSH fails with same error in terminal

    Connecting to 127.0.0.1 port 22.
<HPE5900-SR1>%Nov 22 12:38:47:931 2021 HPE5900-SR1 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 127.0.0.1) disconnected from the server.
%Nov 22 12:38:47:932 2021 HPE5900-SR1 SSHC/6/SSHC_LOG: Connection closed by 127.0.0.1.
​

    The version of firmware is the same that run SSH fine before key delete/re-create: 5900_5920-cmw710-system-r2432p06.

    DSA does not have length to specify, rsa is 2048

    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 10.  RE: HPE 5900AF SSH failes to connect

    EMPLOYEE
    Posted Nov 22, 2021 08:04 AM
    At least we know for sure the issue is in the switch since it refuses such loopback connection. We can safely rule out client-related issues. I am trying to break SSH on my lab's 5900 running the same 2432P06, but so far it works despite all my attempts to break SSH by re-creating keys etc... Maybe it has something to do with "Have the SSL back with proper issued certificate (offline, because the online SCEP way is just pants!)" you've mentioned in your initial message...

    Could you send me your full 'current-configuration' as private message? Please, delete IPs, ciphers, hashes etc  or obfuscate/alter them.

    ------------------------------
    Ivan Bondar
    ------------------------------

    Original Message


  • 11.  RE: HPE 5900AF SSH failes to connect
    Best Answer

    EMPLOYEE
    Posted Nov 22, 2021 08:55 AM
    Ok, I think I got it. At least in my lab. Please, try to create default RSA keys without specifying key's name:

    [5900]public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:2048
Generating Keys...
.......
Create the key pair successfully.
​

    Then output of the 'display public-key local rsa public' should include not only 'mykey', but also 'hostkey(default)' and 'serverkey(default)':

    [5900]dis publ lo rsa pu

=============================================
Key name: hostkey(default)
Key type: RSA
Time when key pair created: 05:06:36 2011/10/05
Key code:

   30820122300D06092A864886F70D01010105000382010F003082010A0282010100A3847D76
   2C1731FD417E5C63D9CDF0680B330B6AC92BA9709C99A3883942E2626F6C0FC5BE5CD4BB94
   CA5E36AC5340D44169AD67441E799C772A450F8C94481083FD30BC978D710019BD7763940B
   05215EFC0A23C4405791F4573E42CEA1E0CF3C092797E552715C85C82E8D983FB559984EA6
   D3B09C38DB71CEEB3BF29AB025E2AC5884C5D915B0EF0D45C63D0B95EA142CC05EE2B4C18D
   E2AEED949631A0D17E6CCA5C0BAE073B327334B49B74A03E442A6E0AFC10D53DE863B49746
   63DC5B86A590EDC169EA502A542958B55E70DCB332A667C580C45A8EE83058DCEA186260DE
   79D89D63B30C470D56EF66C4AF3635D2735F6635B5864AA099C901E436630203010001

=============================================
Key name: serverkey(default)
Key type: RSA
Time when key pair created: 05:06:36 2011/10/05
Key code:

   307C300D06092A864886F70D0101010500036B003068026100B1442626B73F224846B958EC
   5CACA8335438A7DD75D289B4E786A3DD70A7531C6409F5EBEF9783FDB348438543EDDB355F
   F103165F5A75C1A636EBE1242B84C9C9E050A3950D33E797AF3753F71651E36DFCA44BB9E1
   2D8A0D7C0084C4BF67850203010001

=============================================
Key name: mykey
Key type: RSA
Time when key pair created: 04:59:45 2011/10/05
Key code:

   30820122300D06092A864886F70D01010105000382010F003082010A0282010100CEB16E5E
   F50DFADC4BAB2C5774A642E8457A022387EC635E9F64FDC87C87558D710A9693D03834F31A
   0369CF0016F5DBB6D41DA0226CE3DA6875CB1850E7E14A4EE38172EC29ED565B0AE8926702
   B712C4168D18FC5B12E1BD4E3390E1D78AD8796FE7C178B97FC55596B13ACD523A021C69D1
   0D9B789E7C2A2DB4C2AAE3FC51831676AD90E5D63C5A16F384805D6DABDC9F6429C7BF77A4
   FEFECCAC12C64B88933E2CC00BD25BE96AFAF012DB51082100156432478F1B6BBBA3EAF666
   1AC62A3C5D8C789A5A23846FCDC5002DA921AD08F353DCE641317DB38BF97AEBB0C81B95F7
   1FF46D6092234EF7F913C49D8DE8B64B82E158FC397A007062F0972E9BC30203010001

​

    Then try 'ssh 127.0.0.1 idetity-key rsa' to verify if it works. If it works, then any external client that uses RSA key will work too. DSA doesn't work, I've tried to generate DSA default key, but the connection always fail. I think this is why it fails with your 5900 now - because your 5900 advertises 'ssh-dss' only, without 'ssh-rsa':

    *Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: My proposal kex:
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(0): ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-s                  ha1,diffie-hellman-group1-sha1
*Nov 22 09:38:53:570 2021 HPE5900-SR1 SSHS/7/EVENT: Kex strings(1): ssh-dss​

    So just create the default RSA keys (without touching currently present 'mykey') and it should work.


    ------------------------------
    Ivan Bondar
    ------------------------------

    Original Message


  • 12.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 22, 2021 10:49 AM
    Thanks very much!

    Indeed a solution! to an obvious BUG!

    Really appreciate your help

    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 13.  RE: HPE 5900AF SSH failes to connect

    EMPLOYEE
    Posted Nov 22, 2021 10:52 AM
    Great news indeed! Thanks for confirming the solution, hopefully it will help other people if they end up in the similar situation.

    ------------------------------
    Ivan Bondar
    ------------------------------

    Original Message