Community discussions

MikroTik App
 
Xgraver
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 3:49 pm

SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 8:23 am

Hello

Has anyone experienced following issue: I have set NetXms to poll Mikrotik router via ssh and each time when attempt is made, router generates error "can't agree on KEX algorithms". When i log in manualy via ssh, then no error. Seems like it started with NetXms version 3.5.90. It used to work on older version and polling script hasent changed.

From NetXms forum i got reply "Looks like router supports only ssh-dss and ssh-rsa as host key algorithms and they are not offered by client".

Also debug from Mikrotik:https://i.ibb.co/B3t9VzL/Kex-Error.png
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 9:28 am

If you have strong-crypto under /ip ssh set to yes, there's nothing more you could do at RouterOS side through configuration. So you have to see whether you can enable a weaker key suite at the NetXMS end. I don't know whether the ssh poll uses the settings from /etc/ssh/ssh_config or whether it uses some own ones; if you're running the NetXMS backend on Windows, I have no idea where to look at all.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 9:29 am

The error message indicates this is about key exchange algorithms, but following the log it was agreed on diffie-hellman-group-exchange-sha256.
In fact it was not agreed on the host key algorithms. Looks like both support rsa-sha2-256, no idea why it is not used. BTW, ssh-dss and ssh-rsa are valid for host key type and algorithm.

You could try to enable or disable strong-crypto, not sure if it makes a difference...
/ip ssh set strong-crypto=yes
/ip ssh set strong-crypto=no
Probably only support can give a real answer on this.
 
Xgraver
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 3:49 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 9:46 am

/ip ssh is set as:
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: no
allow-none-crypto: no
host-key-size: 2048
Also i did not change mikrotik settings when this error started happening, but instead it was NetXMS update. Error shows up on 2 routers.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 9:50 am

Error shows up on 2 routers.
These are the only Mikrotik devices or does it work on others?
 
Xgraver
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 3:49 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 10:36 am

Currently not polling others via NetXms, but most likely result would be same, because other routers have same firmware.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 11:22 am

Set strong-crypto to yes as I wrote above and try again.
 
Xgraver
just joined
Topic Author
Posts: 12
Joined: Fri Mar 24, 2017 3:49 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 11:47 am

Set strong-crypto to yes as I wrote above and try again.
Unfortunately no difference, still error message.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 11:57 am

So then the second part of my message applies - nothing else can be done a Mikrotik side at user level.

This is a forum of users which Mikrotik staff only monitors, not an official input channel to Mikrotik product development. So to have the list of supported ciphers augmented at Mikrotik side, you have to ask Mikrotik to add support for the newer ciphers to future RouterOS releases. The official way to ask for new features/improvements is to contact your distributor, not Mikrotik directly - the bigger the customer, the higher the importance of their wishes to the vendor, but of course the distributors also have their own priority lists.
You can try to use https://help.mikrotik.com or mailto:support@mikrotik.com, but the answer may be just "thank you, we'll consider that for future".

So I suppose you'll get it resolved more quickly if you ask the NetXMS team for advice how to permit weaker ciphers at their end.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Oct 09, 2020 3:26 pm

A brief google search has found this: https://www.netxms.org/documentation/ad ... oring.html

One of the first paragraphs says that the default ssh configuration is used by default, but that you can specify a dedicated configuration file for the ssh client. So you can enable the older ciphers selectively only for the NetXMS.
 
nbctcp
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Tue Sep 16, 2014 7:32 pm

Re: SSH error "can't agree on KEX algorithms"

Fri Mar 19, 2021 2:25 pm

Hello

Has anyone experienced following issue: I have set NetXms to poll Mikrotik router via ssh and each time when attempt is made, router generates error "can't agree on KEX algorithms". When i log in manualy via ssh, then no error. Seems like it started with NetXms version 3.5.90. It used to work on older version and polling script hasent changed.

From NetXms forum i got reply "Looks like router supports only ssh-dss and ssh-rsa as host key algorithms and they are not offered by client".

Also debug from Mikrotik:https://i.ibb.co/B3t9VzL/Kex-Error.png
SOLUTION:
https://www.netxms.org/forum/general-su ... rithms%27/
 
christian178
newbie
Posts: 42
Joined: Fri Sep 25, 2020 4:26 pm

Re: SSH error "can't agree on KEX algorithms"

Wed Jan 12, 2022 5:02 pm

Hi,

i have same error to ssh to junos in fips-mode:

15:58:41 system,info log rule added by admin
15:58:43 ssh,debug transport state: 0 --> 1
15:58:43 ssh,debug transport state: 1 --> 2
15:58:43 ssh,debug,packet sending string
15:58:43 ssh,debug,packet SSH-2.0-ROSSSH\r
15:58:43 ssh,debug,packet
15:58:43 ssh,debug client version: SSH-2.0-OpenSSH_7.5
15:58:43 ssh,debug transport state: 2 --> 3
15:58:43 ssh,debug,packet packet create: 20
15:58:43 ssh,debug,packet ----- sending -----
15:58:43 ssh,debug,packet => offset:232 [0xe8]
15:58:43 ssh,debug,packet => size:e8 [0xe8]
15:58:43 ssh,debug,packet 0000 00e4 0b14 9928 1cb2 731e 61f0 e7fe
15:58:43 ssh,debug,packet 11c9 cfc1 dfd0 0000 0024 6469 6666 6965
15:58:43 ssh,debug,packet 2d68 656c 6c6d 616e 2d67 726f 7570 2d65
15:58:43 ssh,debug,packet 7863 6861 6e67 652d 7368 6132 3536 0000
15:58:43 ssh,debug,packet 0014 7373 682d 7273 612c 7273 612d 7368
15:58:43 ssh,debug,packet 6132 2d32 3536 0000 0020 6165 7331 3238
15:58:43 ssh,debug,packet 2d63 7472 2c61 6573 3139 322d 6374 722c
15:58:43 ssh,debug,packet 6165 7332 3536 2d63 7472 0000 0020 6165
15:58:43 ssh,debug,packet 7331 3238 2d63 7472 2c61 6573 3139 322d
15:58:43 ssh,debug,packet 6374 722c 6165 7332 3536 2d63 7472 0000
15:58:43 ssh,debug,packet 000d 686d 6163 2d73 6861 322d 3235 3600
15:58:43 ssh,debug,packet 0000 0d68 6d61 632d 7368 6132 2d32 3536
15:58:43 ssh,debug,packet 0000 0004 6e6f 6e65 0000 0004 6e6f 6e65
15:58:43 ssh,debug,packet 0000 0000 0000 0000 0000 0000 00ce e1a3
15:58:43 ssh,debug,packet a3b7 60d5 b48e a29d
15:58:43 ssh,debug,packet --------------------
15:58:43 ssh,debug,packet ----- recieved -----
15:58:43 ssh,debug,packet => offset:190 [0x190]
15:58:43 ssh,debug,packet => size:100 [0x100]
15:58:43 ssh,debug,packet 0000 018c 0a14 4b51 eee4 80b7 c3f0 3d4b
15:58:43 ssh,debug,packet 2c6c 61b6 c876 0000 0054 6469 6666 6965
15:58:43 ssh,debug,packet 2d68 656c 6c6d 616e 2d67 726f 7570 3134
15:58:43 ssh,debug,packet 2d73 6861 312c 6563 6468 2d73 6861 322d
15:58:43 ssh,debug,packet 6e69 7374 7032 3536 2c65 6364 682d 7368
15:58:43 ssh,debug,packet 6132 2d6e 6973 7470 3338 342c 6563 6468
15:58:43 ssh,debug,packet 2d73 6861 322d 6e69 7374 7035 3231 0000
15:58:43 ssh,debug,packet 0027 6563 6473 612d 7368 6132 2d6e 6973
15:58:43 ssh,debug,packet 7470 3338 342c 6563 6473 612d 7368 6132
15:58:43 ssh,debug,packet 2d6e 6973 7470 3338 3400 0000 3461 6573
15:58:43 ssh,debug,packet 3235 362d 6362 632c 6165 7331 3932 2d63
15:58:43 ssh,debug,packet 6263 2c33 6465 732d 6362 632c 6165 7331
15:58:43 ssh,debug,packet 3238 2d63 6263 2c61 6573 3132 382d 6374
15:58:43 ssh,debug,packet 7200 0000 3461 6573 3235 362d 6362 632c
15:58:43 ssh,debug,packet 6165 7331 3932 2d63 6263 2c33 6465 732d
15:58:43 ssh,debug,packet 6362 632c 6165 7331 3238 2d63 6263 2c61
15:58:43 ssh,debug,packet --------------------
15:58:43 ssh,debug host key algo: ecdsa-sha2-nistp384,ecdsa-sha2-nistp384
15:58:43 ssh,debug kex algo: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
15:58:43 ssh,debug enc algo CS: aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc,aes128-ctr
15:58:43 ssh,debug mac algo CS: hmac-sha2-256,hmac-sha2-512
15:58:43 ssh,debug comp algo CS: none,zlib@openssh.com
15:58:43 ssh,debug packet follows: 0
15:58:43 ssh,debug agreed on: can't agree on:
15:58:43 ssh,debug cl: diffie-hellman-group-exchange-sha256
15:58:43 ssh,debug sl: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
15:58:43 ssh,debug code 0x0200000b closing..
15:58:43 ssh,debug,packet packet create: 1
15:58:43 ssh,debug,packet ----- sending -----
15:58:43 ssh,debug,packet => offset:24 [0x18]
15:58:43 ssh,debug,packet => size:18 [0x18]
15:58:43 ssh,debug,packet 0000 0014 0601 0000 000b 0000 0000 0000
15:58:43 ssh,debug,packet 0000 f150 8c23 ad43
15:58:43 ssh,debug,packet --------------------
15:58:43 ssh,debug transport state: 3 --> 0
15:58:43 ssh,debug closing connection: <> 192.168.1.1:22 (10)


What must i set on junos, to make an ssh connection go (safely)


Thanks
Christian
 
christian178
newbie
Posts: 42
Joined: Fri Sep 25, 2020 4:26 pm

Re: SSH error "can't agree on KEX algorithms"

Thu Feb 10, 2022 6:39 pm

Hi,

uses MT in SSH Client no "diffie-hellman-group14-sha1"?

15:58:43 ssh,debug cl: diffie-hellman-group-exchange-sha256
15:58:43 ssh,debug sl: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

only dhg-sha256?

Christian

Who is online

Users browsing this forum: anav, Semrush [Bot] and 87 guests