不涉及
H3C交换机作为客户端,无法ssh登陆华为交换机,且无报错:
<H3C>ssh2 10.*.*.11
Username: admin
Press CTRL+C to abort.
Connecting to 10.*.*.11 port 22.
<H3C>
1、其他设备可以登陆华为交换机,说明服务端基本服务正常
2、华为交换机没有针对ssh登陆的源地址做限制
3、H3C交换机和华为交换机在同一二层环境,不存在安全设备/包过滤拦截ssh报文
4、H3C交换机作为客户端登陆时,开启debug查看ssh协商过程:
-----------------------------
<H3C>dis info-center
Information Center: Enabled-----此处为enable(默认enable),表示信息中心模块为开启状态,可以正常显示debug调试信息,如为disable,需要
<H3C>system-view
[H3C]info-center enable
-----------------------------
<H3C>debugging ssh client all
<H3C>t d
<H3C>t m
<H3C>
<H3C>ssh2 10.*.*.11
Username: admin
Press CTRL+C to abort.
Connecting to 10.*.*.11 port 22.
*Jan 31 15:24:18:590 2022 H3C SSHC/7/EVENT: -COntext=1; Connection established.
*Jan 31 15:24:18:592 2022 H3C SSHC/7/EVENT: -COntext=1; Remote protocol version 2.0, remote software version HUAWEI-1.5
*Jan 31 15:24:18:592 2022 H3C SSHC/7/EVENT: -COntext=1; Enabling compatibility mode for protocol 2.0
*Jan 31 15:24:18:593 2022 H3C SSHC/7/EVENT: -COntext=1; Get self version string Comware-7.1.064
*Jan 31 15:24:18:593 2022 H3C SSHC/7/EVENT: -COntext=1; Local version string SSH-2.0-Comware-7.1.064
<H3C>*Jan 31 15:24:18:593 2022 H3C SSHC/7/MESSAGE: -COntext=1; Prepare packet[20].
*Jan 31 15:24:18:600 2022 H3C SSHC/7/MESSAGE: -COntext=1; Received packet type 20.
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Received SSH2_MSG_KEXINIT.
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; My proposal kex: //我方支持的算法能力集
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(0): diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-dss,ssh-rsa
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(2): aes128-cbc,aes256-cbc,3des-cbc,des-cbc
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(3): aes128-cbc,aes256-cbc,3des-cbc,des-cbc
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(4): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(5): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
*Jan 31 15:24:18:600 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(6): none,zlib,zlib@openssh.com
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(7): none,zlib,zlib@openssh.com
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(8):
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(9):
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Peer proposal kex: //友商设备支持的算法能力集
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(0): diffie-hellman-group14-sha1
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-rsa
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(2): aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(3): aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc,3des-cbc
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(4): hmac-sha2-256
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(5): hmac-sha2-256
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(6): none
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(7): none
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(8):
*Jan 31 15:24:18:601 2022 H3C SSHC/7/EVENT: -COntext=1; Kex strings(9):
%Jan 31 15:24:18:601 2022 H3C SSHS/6/SSHS_ALGORITHM_MISMATCH: -COntext=1; SSH client 10.*.*.11 failed to log in because of Message Authentication code (MAC) algorithm mismatch.
*Jan 31 15:24:18:601 2022 H3C SSHC/7/ERROR: -COntext=1; No matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 server hmac-sha2-256
----------可以看到,因客户端和服务端算法不匹配,导致登录失败
<H3C>
<H3C>u t m
<H3C>u t d
<H3C>undo debugging all
1、因H3C交换机在网运行版本老旧,无法通过命令调整客户端支持更多算法
2、服务端华为交换机做过版本更新,可通过命令调整兼容H3C交换机设备现有算法
3、华为交换机增加如下配置:
<HW>sys
[HW]ssh server secure-algorithms cipher 3des aes128 aes256_cbc aes128_ctr aes256_ctr
[HW]ssh server secure-algorithms hmac md5 md5_96 sha1 sha2_256 sha1_96 sha2_256_96
测试可正常登陆:
<H3C>ssh2 10.*.*.11
Username: admin
Press CTRL+C to abort.
Connecting to 10.*.*.11 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
admin@10.*.*.11's password:
Enter a character ~ and a dot to abort.
Warning: The password will expire in 17 days.
The password needs to be changed. Change now? [Y/N]: n
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: SSH
IP-Address : 10.*.*.1
Time : 2022-01-31 15:20:28+08:00
-----------------------------------------------------------------------------
<HW>
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作