Fortigate new sofware SSH error with NCM

We just upgraded our FortiGate devices to newest versions 7.0.13 or 7.2.6. and we can not download configs, before it worked fine. Now we can see that FortiGate gives a log message: " Negotiation failed: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss." But with same user i can connect to it with ssh from my computer.

Parents
  • Hi, I have seen the exact same issue and thought I would shed some  light on this matter for you .

    ssh-rsa is no longer be offered as the server key host algorithm after upgrading to FortiOS 7.2.6 it ONLY offer the ssh-ed25519 algorithm !

    You need to enable 3ed25519 (this is dh grp 19 the start of the elliptic curve. even when you disable to strong crypto (not recommend unless  it test lab) the old ssh-rsa key is no longer offered. You can update the NPM / on Solarwinds/Orion a=or create a new ssh host key but the global setting will not work  even with the SHA1 DH1 specified in the algo's. The ssh-rsa (sha1 is old and should be deprecated) Our FortiGates and ASA on the newer OS are hitting this issue


    The same key host algorithm offering  can be verified in the SSH debugs:

     
    7.2.5 logs
    2123-10-2110:08:21 SSH: Proposal: 0, Ciphers: 'diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp081'
    2123-10-2110:08:21 SSH: Proposal: 2, Ciphers: 'chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com'
    2123-10-2110:08:21 SSH: Proposal: 3, Ciphers: 'chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com'
    2123-10-2110:08:21 SSH: Proposal: 4, Ciphers: 'hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com'
    2123-10-2110:08:21 SSH: Proposal: 5, Ciphers: 'hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com'


    **** 2123-10-2110:08:21 SSH: list_hostkey_types: ssh-rsa,ssh-ed25519

    2123-10-2110:08:21 SSH: SSH2_MSG_KEXINIT sent
    2123-10-2110:08:21 SSH: SSH2_MSG_KEXINIT received
    2123-10-2110:08:21 SSH: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp081
    2123-10-2110:08:21 SSH: kex_parse_kexinit: ssh-rsa,ssh-ed25519
    2123-10-2110:08:21 SSH: kex_parse_kexinit: chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com
    2123-10-2110:08:21 SSH: kex_parse_kexinit: chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com
    2123-10-2110:08:21 SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    2123-10-2110:08:21 SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    ###########################################################################################################

    ###########################################################################################################



    ####    7.2.6 logs     ***** Shows it only offer ssh-ed25519.

    2123-10-2110:09:08 SSH: Proposal: 0, Ciphers: 'diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp
    081'
    2123-10-2110:09:08 SSH: Proposal: 2, Ciphers: 'chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com'
    2123-10-2110:09:08 SSH: Proposal: 3, Ciphers: 'chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com'
    2123-10-2110:09:08 SSH: Proposal: 4, Ciphers: 'hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com'
    2123-10-2110:09:08 SSH: Proposal: 5, Ciphers: 'hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com'

    **** 2123-10-2110:09:08 SSH: list_hostkey_types: ssh-ed25519

    2123-10-2110:09:08 SSH: SSH2_MSG_KEXINIT sent
    2123-10-2110:09:08 SSH: SSH2_MSG_KEXINIT received
    2123-10-2110:09:08 SSH: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp081
    2123-10-2110:09:08 SSH: kex_parse_kexinit: ssh-ed25519
    2123-10-2110:09:08 SSH: kex_parse_kexinit: chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com
    2123-10-2110:09:08 SSH: kex_parse_kexinit: chacha21-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com
    2123-10-2110:09:08 SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com
    2123-10-2110:09:08 SSH: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com


    ##############################################################################################################

    Kind regard

    Steven

  • "You can update the NPM / on Solarwinds/Orion a=or create a new ssh host key"

    Is this something you can explain a little bit more?  It sounds like you were able to do this as a workaround and get NCM to work on the fortigates?

Reply Children
No Data