net-mgmt/rancid and cisco ssh kexagorhitms

Kevin Oberman rkoberman at
Wed Jan 14 16:49:56 UTC 2015

On Wed, Jan 14, 2015 at 6:35 AM, Marko Cupać <marko.cupac at> wrote:

> Hi,
> as of FreeBSD 9.3, it is not possible to ssh into some cisco routers
> (namely 1921 and 3925 in my case), unless option -o KexAlgorithms=
> diffie-hellman-group14-sha1 is specified. Probably, as a consequence,
> rancid stopped working for these routers since I upgraded OS on which
> it is installed to 9.3.
> How can I make this work again?
> Thank you in advance,
> --
> Marko Cupać

This looks like an issue that should go to the RANCiD developers upstream.
It's a rather trivial thing to adjust the expect script for clogin to deal
with this, though it probably should be more than just adding the option to
the ssh command to make it specific to the routers that actually require
it. I suspect that OpenSSH portable has removed this key exchange mechanism
as a default due to concerns with SHA1, but that is just a guess as I have
not been following either RANCiD or OpenSSH since I retired.

I do suspect that adding this option to clogin is all that is required to
get it working for you, though. Just look through clogin for 'ssh' to find
the commands. (Note that there are probably at least two cases and you
probably want to change all of them.
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at

More information about the freebsd-ports mailing list