By default the Cisco ASAv has weak ssh config that many modern OS’s do not support.
ssh admin@10.1.10.56
Unable to negotiate with 10.1.10.56 port 22: no matching host key type found. Their offer: ssh-rsa
This error is from the client side ssh client refusing to use any of the host key algorithms that are offered by the ASAv.
To get around this you can try the following.
ssh -o HostKeyAlgorithms=+ssh-rsa
-o PubkeyAcceptedAlgorithms=+ssh-rsa
admin@10.1.10.56
The authenticity of host '10.1.10.56 (10.1.10.56)' can't be established.
RSA key fingerprint is SHA256:TIbF/exW4uqfmy/yf8JyxddX8DApYduK2NVXNHfRBXI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.10.56' (RSA) to the list of known hosts.
ssh_dispatch_run_fatal: Connection to 10.1.10.56 port 22: error in libcryptoHowever as you can see from the above output there is another error. This error is also from the client side OS, as its enforcing its own crypto policy.
One way around this is to enable legacy crypto on the OS side. Which you can do via the command below.
sudo update-crypto-policies --set LEGACY
However, this is a bad idea and can screw up a lot of other things on the client side. Rather than work around this we will fix.
Fix SSH on the Cisco ASAv – Instead of Breaking my Workstation
Cisco documents that starting in ASA 9.16(1), the ASAv added support for EDDSA and ECDSA SSH host keys, and the ASAv will prefer EDDSA → ECDSA → RSA if those keys exist.
Given I’m on ASAv 9.20(4), I should be able to generate these keys and then connect with my normal ssh client settings. See commands below.
enable
configure terminal
! Generate an Ed25519 (EdDSA) host key (preferred)
crypto key generate eddsa edwards-curve ed25519
! Also generate an ECDSA host key (good fallback)
crypto key generate ecdsa elliptic-curve 256
write memory
Restarting SSH on the ASAv
Now we need to restart SSH on the ASAv to switch the host key used by SSH. You will need to run these commands from the console.
conf t
no ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 management
endNow we can verify that keys in use on the ASAv. Specifically we want to look at the EDDSA and ECDSA .
# show crypto key mypubkey ecdsa
# show crypto key mypubkey eddsaNow we can login normally via SSH from our Workstation
ssh admin@10.1.10.56
The authenticity of host '10.1.10.56 (10.1.10.56)' can't be established.
ECDSA key fingerprint is SHA256:Z5+PHzIl6L9BvvdYl2bBrFGi2rlmefmuv0uc27UTBo4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.10.56' (ECDSA) to the list of known hosts.
admin@10.1.10.56's password:
User admin logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa>
Further Configuration for SSH on the ASAv
I did find that after all my changes to SSH on the ASAv, I was still unable to ssh to the asav from several VMs (new RHEL10 build for example).
ssh admin@10.1.10.56
kex_exchange_identification: read: Connection reset by peerIn order to get ssh to work from RHEL 10, I ran the commands below on the ASAv
conf t
ssh key-exchange group dh-group14-sha256
ssh key-exchange group curve25519-sha256Details below as to why this was required.
| Command Added | Why RHEL 10 liked it |
dh-group14-sha256 | This moves the hashing from SHA-1 to SHA-256. RHEL 10 requires SHA-256 or higher for the handshake to be considered “safe.” |
curve25519-sha256 | This is the preferred algorithm for modern OpenSSH. It is extremely fast and mathematically robust. Once the ASA offered this, RHEL 10 stopped looking for other options and just connected. |