Jump To: Support > KB > NetworkMan > HP > ssh

Enabling ssh connections to older HP switches

On the switch

If you get Connection refused when trying to ssh to a switch, then ssh is not enabled. This is the default on a 2510G-24 for example. To enable, run the following from the cli:

config
crypto key generate ssh
ip ssh
write memory

On the client

Old switches use old ciphers and algorithms. Newer ssh clients generally still support these old methods, but will not use them unless explicitly told to do so. For example:

# ssh admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching cipher found. Their offer: des,3des-cbc
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc admin@192.168.10.1
Unable to negotiate with 192.168.10.1 port 22: no matching host key type found. Their offer: ssh-rsa
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc -oHostKeyAlgorithms=+ssh-rsa admin@192.168.10.1

[success]

To make this permanent, if your switches are all on the same IP range (e.g. 192.168.10.x) add the following to your /etc/ssh/ssh_config file:

Host 192.168.10.*
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +3des-cbc
        HostKeyAlgorithms +ssh-rsa

You can also use hostnames:

Host oldswitch1
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +3des-cbc
        HostKeyAlgorithms +ssh-rsa

Hostnames can be wildcarded:

Host switch-*
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +3des-cbc
        HostKeyAlgorithms +ssh-rsa