View Single Post
  #4  
Old 04-28-2010, 05:46 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 930
Overcoming the Cisco "Invalid modulus length" error when connecting with SecureCRT

SecureCRT's "Trace options" (enable it in SecureCRT's main "File" menu prior to attempting a connection) output often shows a common pattern representing a problem when connecting to some Cisco devices using the SSH2 protocol:

[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
...
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : RECV: TCP/IP close

In other words, the "group-exchange" kex algorithm was chosen, but when SecureCRT provided the Cisco device with its initial key exchange information, the Cisco device responds by closing the connection.

If you were to look at the debug information on the Cisco device, you'd likely see something along the lines of an error indicating, "Invalid modulus length". For example:
Apr 29 12:48:26.274: SSH2 0: Invalid modulus length
The "Invalid modulus length" problem is caused by a flaw in the secure shell implementation in place on affected Cisco devices. SecureCRT sends 2046 as the preferred key size for the "Diffie-Hellman Group" key exchange method. Some broken Cisco IOS versions incorrectly require the modulus length be a power of two, although the applicable SSH2 protocol RFC does not mandate this same restriction.

Newer versions of SecureCRT (6.1.2 or later) automatically perform a configuration change that will allow for easy interoperability between SecureCRT and Cisco devices that have this broken secure shell server implementation.

In the event that you are not running SecureCRT 6.1.2 or newer, any one of the following solutions would likely allow you to successfully connect to a Cisco device that is exhibiting the "Invalid modulus length" problem:

Apply a Bug-Fix to the Cisco Device:
Contact Cisco to receive the fix for Bug ID# "CSCsq51052" (likely only available to individuals with a current Cisco service contract).
Or:
Change the key exchange algorithm:
Note: Those of you reading this post who are using SecureCRT 5.1.x or newer can make this change directly in the SecureCRT application by either disabling the "diffie-hellman-group" key exchange method, or moving it to the top of the "Key exchange" list in the SSH2 category of the Session Options dialog, rather than editing the session's .ini file.

If you're using a version of SecureCRT that is older than 5.1.x, you'll need to edit the corresponding session's .ini file.

First, close all instances of SecureCRT. Then open the .ini file associated with the session you are dealing with and manually change the following line from:
S:"Key Exchange Algorithms"=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

to:
S:"Key Exchange Algorithms"=diffie-hellman-group1-sha1
Save your changes to the .ini file, and then start SecureCRT.

Or:
Change the preferred "GEX Preferred Size":
Close all instances of SecureCRT. Then open the .ini file associated with the session you are dealing with and manually change the following line from:
D:"GEX Preferred Size"=000007fe

to:
D:"GEX Preferred Size"=00000800
Save your changes to the .ini file, and then start SecureCRT.
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support

Last edited by jdev; 05-26-2010 at 11:22 AM.
Reply With Quote