H3C交换机无法SSH登陆华为交换机

不涉及

H3C交换机作为客户端，无法ssh登陆华为交换机，且无报错：

<H3C>ssh2 10.*.*.11

Username: admin

Press CTRL+C to abort.

Connecting to 10.*.*.11 port 22.

<H3C>

1、其他设备可以登陆华为交换机，说明服务端基本服务正常

2、华为交换机没有针对ssh登陆的源地址做限制

3、H3C交换机和华为交换机在同一二层环境，不存在安全设备/包过滤拦截ssh报文

4、H3C交换机作为客户端登陆时，开启debug查看ssh协商过程：

-----------------------------

<H3C>dis info-center

 Information Center: Enabled-----此处为enable(默认enable)，表示信息中心模块为开启状态，可以正常显示debug调试信息，如为disable，需要

<H3C>system-view

[H3C]info-center enable

-----------------------------

<H3C>debugging ssh client all

<H3C>t  d

<H3C>t  m

<H3C>

<H3C>ssh2 10.*.*.11

Username: admin

Press CTRL+C to abort.

Connecting to 10.*.*.11 port 22.

*Jan 31 15:24:18:590 2022 H3C SSHC/7/EVENT: -COntext=1; Connection established.

*Jan 31 15:24:18:592 2022 H3C SSHC/7/EVENT: -COntext=1; Remote protocol version 2.0, remote software version HUAWEI-1.5

*Jan 31 15:24:18:592 2022 H3C SSHC/7/EVENT: -COntext=1; Enabling compatibility mode for protocol 2.0

*Jan 31 15:24:18:593 2022 H3C SSHC/7/EVENT: -COntext=1; Get self version string Comware-7.1.064

*Jan 31 15:24:18:593 2022 H3C SSHC/7/EVENT: -COntext=1; Local version string SSH-2.0-Comware-7.1.064

<H3C>*Jan 31 15:24:18:593 2022 H3C SSHC/7/MESSAGE: -COntext=1; Prepare packet[20].

*Jan 31 15:24:18:600 2022 H3C SSHC/7/MESSAGE: -COntext=1; Received packet type 20.

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Received SSH2_MSG_KEXINIT.

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; My proposal kex: //我方支持的算法能力集

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(0): diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-dss,ssh-rsa

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(2): aes128-cbc,aes256-cbc,3des-cbc,des-cbc

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(3): aes128-cbc,aes256-cbc,3des-cbc,des-cbc

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(4): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(5): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(6): none,zlib,zlib@openssh.com

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(7): none,zlib,zlib@openssh.com

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(8):

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(9):

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Peer proposal kex:  //友商设备支持的算法能力集

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(0): diffie-hellman-group14-sha1

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-rsa

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(2): aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(3): aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(4): hmac-sha2-256

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(5): hmac-sha2-256

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(6): none

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(7): none

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(8):

*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(9):

%Jan 31 15:24:18:601 2022 H3C SSHS/6/SSHS_ALGORITHM_MISMATCH: -COntext=1; SSH client 10.*.*.11 failed to log in because of Message Authentication code (MAC) algorithm mismatch.

*Jan 31 15:24:18:601 2022 H3C SSHC/7/ERROR: -COntext=1; No matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 server hmac-sha2-256

----------可以看到，因客户端和服务端算法不匹配，导致登录失败

<H3C>

<H3C>u t m

<H3C>u t d

<H3C>undo debugging all

1、因H3C交换机在网运行版本老旧，无法通过命令调整客户端支持更多算法

2、服务端华为交换机做过版本更新，可通过命令调整兼容H3C交换机设备现有算法

3、华为交换机增加如下配置：

<HW>sys

[HW]ssh server secure-algorithms cipher 3des aes128 aes256_cbc aes128_ctr aes256_ctr

[HW]ssh server secure-algorithms hmac md5 md5_96 sha1 sha2_256 sha1_96 sha2_256_96

测试可正常登陆：

<H3C>ssh2 10.*.*.11

Username: admin

Press CTRL+C to abort.

Connecting to 10.*.*.11 port 22.

The server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

admin@10.*.*.11's password:

Enter a character ~ and a dot to abort.

Warning: The password will expire in 17 days.

The password needs to be changed. Change now? [Y/N]: n

  -----------------------------------------------------------------------------    

  User last login information:    

  -----------------------------------------------------------------------------

  Access Type: SSH     

  IP-Address : 10.*.*.1    

  Time       : 2022-01-31 15:20:28+08:00    

  -----------------------------------------------------------------------------

<HW>