When attempting to SSH to a ScreenOS device from a Cisco switch, the following error is reported in the logs:
Event Log on ScreenOS device (NetScreen):
system error 00528 SSH: Failed to negotiate host key algorithm with host x.x.x.x.
Cisco Switch Log:
SSH2 CLIENT 0: hostkey algo not supported: client ssh-rsa, server ssh-dss
Solution
Cisco client is using SSH-RSA , and ScreenOS device is using SSH-DSA (same as DSS).
ScreenOS supports SSH-RSA in SSHv1, and it supports SSH-DSA in SSHv2.
To find the version of the SSH and see the algorithm being used, run the following commands:
Example 1 DSA key:
get ssh
SSH V2 is active
SSH is NOT enabled
SSH is NOT ready for connections
Maximum sessions: 24
Active sessions: 0
get ssh host-key
DSA fingerprint:
finger_print = 37:23:74:ba:4c:a5:91:d1:ea:4e:a2:a8:46:58:4e:b1
Example 2 RSA Key:
get ssh
SSH V1 is active
SSH is enabled
SSH is ready for connections
Key regeneration time: 60 minutes
Maximum sessions: 24
Active sessions: 0
get ssh host-key
Length: 1024
Exponent: 65537
Modulus:
Key ID: 0F96C0C2EE54B93A1BB6
RSA1 key fingerprint:
15:07:33:d4:16:39:2b:cb:90:3b:4d:1d:b3:ef:67:22
In order to resolve this issue, the algorithm has to match. Therefore either set the firewall to SSHv1 or SSHv2 to match the Cisco unit, or you set the Cisco unit to match the firewall.
To change to SSHv1 you run the following commands:
delete ssh device all
set ssh version v1
set ssh enable
Come on sshv1 is broken. Use a dsa key instead or change your hardware.
When attempting to SSH to a ScreenOS device from a Cisco switch, the following error is reported in the logs
lavagem de estofados|lavagem de tapetes|Plano de saude empresa|lavagem de carpetes|AJAXME|lavagem de estofados