New-SSHSession : Key exchange failure : Posh v3.0.0

[bbrown2008]

Windows Version: Windows Server 2019 Standard
PowerShell Version: 5.1.17763.2867

Problem: New-SSHSession connection to Cisco appliance fails with the following error:
Exception has been thrown by the target of an invocation...... +CategoryInfo : InvalidOperation: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], TarrgetInvocationException + FullyQualifiedErrorId : SSH.NewSshSession

Details:

• I am attempting to run the New-SSHSession commands from the enviornment's domain controller (which also serves as one of the DNS servers to the targeted appliance).
• The source and target servers are both on the same network and i have confirmed no firewall blockage
• The New-SSHSession does work from other windows servers residing on the same network
• Elliptic Curve Diffie-Hellman key exchange is used in the key exchange
  * On the failed attempt from the domain controller I confirmed (via wireshark): I see that the target-server initiated "Key Exchange Init" does take place. Following that, the server does not send a "Client: Elliptic Curve Diffie-Hellman Key Exchange Init". On other windows 2019 servers, where i am able to succesfully establish the New-SSHSession, wireshark shows that the sending server does send a "Client: Elliptic Curve Diffie-Hellman Key Exchange Init"

Troubleshooting:

• Established the New-SSHSession from another windows server to the same target Cisco VOS appliance (it worked)
• Compared Wireshark output from failed session to wireshark output from successful session: Found details listed above (client never sends key back to target server). NOTE: The command worked from the following TWO computers/servers: Windows 10 with powershell version 5.1.18362.1171 and Windows 2019 with powershell version 5.1.17763.2803
• I have tried various combinations of running -AcceptKey -force -port 22 from powershell. None fixes the problem
• i did run this command from powershell, which was suggested in a similar thread(older version of posh-ssh): Get-SSHTrustedHost | Remove-SSHTrustedHost <--this didnt fix the problem

[darkoperator]

Its a know issue with the core library. Waiting for the fix to be merged sshnet/SSH.NET#839 (comment)

…

Sent from my iPhone

On May 2, 2022, at 3:03 PM, bbrown2008 ***@***.***> wrote:  Windows Version: Windows Server 2019 Standard PowerShell Version: 5.1.17763.2867 Problem: New-SSHSession connection to Cisco appliance fails with the following error: Exception has been thrown by the target of an invocation...... +CategoryInfo : InvalidOperation: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], TarrgetInvocationException + FullyQualifiedErrorId : SSH.NewSshSession Details: I am attempting to run the New-SSHSession commands from the enviornment's domain controller (which also serves as one of the DNS servers to the targeted appliance). The source and target servers are both on the same network and i have confirmed no firewall blockage The New-SSHSession does work from other windows servers residing on the same network Elliptic Curve Diffie-Hellman key exchange is used in the key exchange * On the failed attempt from the domain controller I confirmed (via wireshark): I see that the target-server initiated "Key Exchange Init" does take place. Following that, the server does not send a "Client: Elliptic Curve Diffie-Hellman Key Exchange Init". On other windows 2019 servers, where i am able to succesfully establish the New-SSHSession, wireshark shows that the sending server does send a "Client: Elliptic Curve Diffie-Hellman Key Exchange Init" Troubleshooting: Established the New-SSHSession from another windows server to the same target Cisco VOS appliance (it worked) Compared Wireshark output from failed session to wireshark output from successful session: Found details listed above (client never sends key back to target server). NOTE: The command worked from the following TWO computers/servers: Windows 10 with powershell version 5.1.18362.1171 and Windows 2019 with powershell version 5.1.17763.2803 I have tried various combinations of running -AcceptKey -force -port 22 from powershell. None fixes the problem i did run this command from powershell, which was suggested in a similar thread(older version of posh-ssh): Get-SSHTrustedHost | Remove-SSHTrustedHost <--this didnt fix the problem — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[bbrown2008]

Darkoperator, thanks for the reply but are you sure we're looking at the same issue?

In my case, i am able to make the New-SSHSession connection from other Windows2019 servers. The connection is only failing from the domain controller to the cisco device.

One other difference is that i'm not connecting to a cisco switch. I'm connecting to a cisco appliance (callmanager, which uses a different cisco linux-based OS than the cisco switch referenced in your link).

Also, i want to thank you for building this module!

[darkoperator]

What version of windows is the DC

…

Sent from my iPhone

On May 2, 2022, at 3:03 PM, bbrown2008 ***@***.***> wrote:  Windows Version: Windows Server 2019 Standard PowerShell Version: 5.1.17763.2867 Problem: New-SSHSession connection to Cisco appliance fails with the following error: Exception has been thrown by the target of an invocation...... +CategoryInfo : InvalidOperation: (Renci.SshNet.SshClient:SshClient) [New-SSHSession], TarrgetInvocationException + FullyQualifiedErrorId : SSH.NewSshSession Details: I am attempting to run the New-SSHSession commands from the enviornment's domain controller (which also serves as one of the DNS servers to the targeted appliance). The source and target servers are both on the same network and i have confirmed no firewall blockage The New-SSHSession does work from other windows servers residing on the same network Elliptic Curve Diffie-Hellman key exchange is used in the key exchange * On the failed attempt from the domain controller I confirmed (via wireshark): I see that the target-server initiated "Key Exchange Init" does take place. Following that, the server does not send a "Client: Elliptic Curve Diffie-Hellman Key Exchange Init". On other windows 2019 servers, where i am able to succesfully establish the New-SSHSession, wireshark shows that the sending server does send a "Client: Elliptic Curve Diffie-Hellman Key Exchange Init" Troubleshooting: Established the New-SSHSession from another windows server to the same target Cisco VOS appliance (it worked) Compared Wireshark output from failed session to wireshark output from successful session: Found details listed above (client never sends key back to target server). NOTE: The command worked from the following TWO computers/servers: Windows 10 with powershell version 5.1.18362.1171 and Windows 2019 with powershell version 5.1.17763.2803 I have tried various combinations of running -AcceptKey -force -port 22 from powershell. None fixes the problem i did run this command from powershell, which was suggested in a similar thread(older version of posh-ssh): Get-SSHTrustedHost | Remove-SSHTrustedHost <--this didnt fix the problem — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[bbrown2008]

Windows 2019 Standard. Other servers in the same domain are also running windows 2019 standard and are able to establish the ssh session via posh-SSH.

Even after applying an extremely relaxed group policy to the DC, i still get the same result. Putty does work from the DC

[MVKozlov]

Windows server have another version of renci.ssh in one of a roles/modules. There can be situation that this version loaded.
I suggest you to test existance of this library on both servers and if it exists check what version loaded with module.

[bbrown2008]

I've found a workaround that will allow me to complete and publish my automations tool using New-SSHSession. I dont believe the problem was directly related to anything with the posh-ssh module.

-What i was trying to do was run New-SSHSession from the sideA domain controller since I know that the sideA DC will always be present in any of my environments. For some reason, the key exchange (or perhaps a gpo or policy that applies only to DC's in my environment) to the cisco appliance does not complete when running this from a DC.
-My workaround was to redesign my tool to run these commands from our sideA ADFS server, which is also always present in my environments. The adfs server is running the same version WIndows and posh-ssh (3.0.0) but the New-SSHSession commands work perfectly from my ad fs servers. Go figure.....

At this point, I don't need to figure out why this command will not run on the DC. Thanks for this awesome module and the feedback provided.