Cisco IOS (XE) and OpenSSH 8.x

OpenSSH marches on and disables old and insecure algorithms. Sadly, Cisco IOS (XE) lags behind. Previously, I could do all scp operations from the cli in the switches. Now, I must do everything from the management station. For now, I can get by if I allow some of the older key exchange (key agreement) algorithms. I wonder when Cisco catches up with the latest developments in SSH/secsh.

Here’s how I can push a new image to a switch from the management station:

scp -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 cat4500es8-universalk9.SPA.03.11.06.E.152-7.E6.bin username@device.tld:bootflash:cat4500es8-universalk9.SPA.03.11.06.E.152-7.E6.bin

Merging new configuration is achieved by using command lines like these:

scp -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Vlan666-IPv4-in.acl  username@device.tld:running-config
scp -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Vlan666-IPv4-out.acl username@device.tld:running-config
scp -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Vlan666-IPv6-in.acl  username@device.tld:running-config
scp -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Vlan666-IPv6-out.acl username@device.tld:running-config

Getting the running-config from the switch is done like this:

scp -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 username@device.tld:running-config device.tld.text

Most of this tedious typing can be avoided if you add the appropriate lines to ~/.ssh/config. (Yes, I know most shells have persistent command line history. I use it all the time.)

Host device.tld
        KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1