[rancid] As one door closes, another opens... ssh failing with (some) Cisco devices after OS upgrade?

[Howard Jones]

After a lot of fiddling around, I found that my previous RANCID system, 
running on CentOS 5 was just not able to reliably deal with ExtremeXOS 
switches, apparently due to an expect issue. So I've just finished 
moving to a new (RANCID 3.2, CentOS 7) system. I'd forgotten how many 
little patches I'd added over the last couple of years, so that was a 
fun process! My Extreme switches are backing up correctly, though.

Anyway, now I find that I can't connect to a few Cisco ASRs with SSH 
from that new box (works fine with putty). They just drop connection 
with this slightly strange message in the logs:

May 15 16:57:30.399 BST: SSH2 1:  Client DH key range mismatch with max 
built-in DH key on server!
May 15 16:57:30.399 BST: %SSH-5-SSH2_SESSION: SSH2 Session request from 
192.168.0.27 (tty = 1) using crypto cipher '', hmac '' Failed
May 15 16:57:30.399 BST: %SSH-5-SSH2_CLOSE: SSH2 Session from 
192.168.0.27 (tty = 1) for user '' using crypto cipher '', hmac '' closed

On the Rancid side, I actually copied all the SSH keys (host and rancid 
user) across from the old machine, to avoid any 'key changed' type 
issues. Running with ssh -v, the last messages are:

debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

This seems to be to do with a new lower key size restriction in newer 
openssh version - does anyone know a way around it? Ideally without 
regenerating the keys on the routers? In fact, I just tried regenerating 
a 2048-bit key on one of the affected routers, and it makes no 
difference anyway.

Thanks in advance,

Howard