topic Re: Is it possible to connect to my switch using ssh from the checkpoint cli ? in Firewall and Security Management

Is it possible to connect to my switch using ssh from the checkpoint cli ?

nflnetwork29 — Fri, 12 Feb 2021 16:40:37 GMT

is it possible to connect to my switch using ssh from the checkpoint cli ?

Here is the message i got .

no matching cipher found: client aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se server aes128-ctr,aes192-ctr,aes256-ctr

Re: Is it possible to connect to my switch using ssh from the checkpoint cli ?

PhoneBoy — Fri, 12 Feb 2021 16:48:28 GMT

It means the SSH client on the gateway doesn’t support the same ciphers the SSH server is configured to use.
What kind of gateway are you SSHing from and what software version?

Re: Is it possible to connect to my switch using ssh from the checkpoint cli ?

nflnetwork29 — Fri, 12 Feb 2021 18:20:06 GMT

SMB 1450 R77.20.15

I guess another limitation of the SMB model line?

Re: Is it possible to connect to my switch using ssh from the checkpoint cli ?

the_rock — Fri, 12 Feb 2021 18:34:27 GMT

Phoneboy's response is 100% correct actually. Definitely means it would not support same ciphers...I had seen this before.

Re: Is it possible to connect to my switch using ssh from the checkpoint cli ?

PhoneBoy — Fri, 12 Feb 2021 20:07:38 GMT

The version string on our SSH client on SMB says: SSHield_2.1.0 derived from OpenSSH_3.5p1, SSH protocols 1.5/2.0, which I believe is used on VXworks systems.
I checked on both R77.20.x and R80.20.x systems, same version string.
OpenSSH 3.5 is pretty old and doesn't support more modern ciphers.
Even our regular gateways, until recently, were using a fairly old version of OpenSSH.
We updated that (along with the Linux kernel) in R80.40.

Getting this client updated on SMB would be an RFE.
Meanwhile, you will have to reconfigure your SSH server to support at least one cipher in common with the client.

Re: Is it possible to connect to my switch using ssh from the checkpoint cli ?

nmelay2 — Wed, 29 Jan 2025 13:31:48 GMT

Yeah I know this is a pretty old thread, but FYI, on the SMB 700/1400 product line, you might want to use dbclient, the dropbear SSH client, instead of ssh/openssh.

Re: Is it possible to connect to my switch using ssh from the checkpoint cli ?

PhoneBoy — Wed, 29 Jan 2025 21:45:09 GMT

Turns out dbclient will also work when connecting to a 700/1400 series appliance from a different host when SSH won't work because of the cipher configuration.
Great tip!