only allowing users to ssh in with 3DES

cisco24x7 · ‎12-30-2007

I have a cisco router running IOS 12.3,

c2600-ik9o3s3-mz.123-12.bin. I've enabled

ssh on the device so that other administrators can ssh into the device for

administration purposes.

I want to disable the DES feature from the device. In other words, currently

anyone can log into the device with

either DES or 3DES cipher, as seen below:

[root@LinuxES root]# ssh -v -c des -l cisco 192.168.1.1

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 1.5, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2

debug1: Waiting for server public key.

debug1: Received server public key (768 bits) and host key (1024 bits).

debug1: Host '192.168.1.1' is known and matches the RSA1 host key.

debug1: Found key in /root/.ssh/known_hosts:10

debug1: Encryption type: des

debug1: Sent encrypted session key.

Warning: use of DES is strongly discouraged due to cryptographic weaknesses

debug1: Installing crc compensation attack detector.

debug1: Received encrypted confirmation.

debug1: Doing password authentication.

cisco@192.168.1.1's password:

debug1: Requesting pty.

debug1: Requesting X11 forwarding with authentication spoofing.

Warning: Remote host denied X11 forwarding.

debug1: Requesting shell.

debug1: Entering interactive session.

BGP_Trigger>exit

Connection to 192.168.1.1 closed.

debug1: Transferred: stdin 5, stdout 20, stderr 37 bytes in 2.0 seconds

debug1: Bytes per second: stdin 2.5, stdout 9.9, stderr 18.3

debug1: Exit status 0

[root@LinuxES root]# ssh -v -c 3des -l cisco 192.168.1.1

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 1.5, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2

debug1: Waiting for server public key.

debug1: Received server public key (768 bits) and host key (1024 bits).

debug1: Host '192.168.1.1' is known and matches the RSA1 host key.

debug1: Found key in /root/.ssh/known_hosts:10

debug1: Encryption type: 3des

debug1: Sent encrypted session key.

debug1: Installing crc compensation attack detector.

debug1: Received encrypted confirmation.

debug1: Doing password authentication.

cisco@192.168.1.1's password:

debug1: Requesting pty.

debug1: Requesting X11 forwarding with authentication spoofing.

Warning: Remote host denied X11 forwarding.

debug1: Requesting shell.

debug1: Entering interactive session.

BGP_Trigger>exit

Connection to 192.168.1.1 closed.

debug1: Transferred: stdin 5, stdout 20, stderr 37 bytes in 1.0 seconds

debug1: Bytes per second: stdin 4.9, stdout 19.7, stderr 36.4

debug1: Exit status 0

[root@LinuxES root]#

How do go about disabling DES on the system?

I know how to accomplish this with Unix

devices. Not sure if it is possible with

Cisco devices. This is seen as a security risk to me.

Thanks.

CCIE Security

Adam Frederick · ‎12-30-2007

If I'm not mistaking, are you talking about the ssh ver? In global config just change it to ver 2..

router(config)#ip ssh version 2

cisco24x7 · ‎12-30-2007

What are you talking about?

BGP_Trigger(config)#ip ssh ?

authentication-retries Specify number of authentication retries

break-string break-string

port Starting (or only) Port number to listen on

rsa Configure RSA keypair name for SSH

source-interface Specify interface for source address in SSH connections

time-out Specify SSH time-out interval

BGP_Trigger(config)#ip ssh

The feature you're talking about is in

12.3T, 12.4 and later.

Furthermore, I just want to disable des ssh

login, not changing it to version 2.

CCIE Security

srue · ‎12-30-2007

ssh version 2 does not even support DES, so changing your config to "ip ssh version 2" seems to solve your problem - like adam said.

If your IOS version doesn't support version 2, then you probably need to upgrade it.

cisco24x7 · ‎12-31-2007

Let me re-phrase my question a little differently:

1- How can I disable users from ssh into

the router with 3des? I only want users

to ssh into my device with aes256?

2- I want users to login with only AES256/sha-1

only. I do not want to use aes256/md5, as

seen below:

[root@Linux]# ssh -v -c aes256-cbc -l cisco 192.168.1.1

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes256-cbc hmac-md5 none

debug1: kex: client->server aes256-cbc hmac-md5 none

debug1: dh_gen_key: priv key bits set: 243/512

debug1: bits set: 500/1024

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Host '192.168.1.1' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:4

debug1: bits set: 522/1024

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: cipher_init: set keylen (16 -> 32)

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: cipher_init: set keylen (16 -> 32)

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: password

debug1: next auth method to try is password

cisco@192.168.1.1's password:

debug1: ssh-userauth2 successful: method password

debug1: channel 0: new [client-session]

debug1: send channel open 0

debug1: Entering interactive session.

debug1: ssh_session2_setup: id 0

debug1: channel request 0: pty-req

debug1: channel request 0: shell

debug1: fd 3 setting TCP_NODELAY

debug1: channel 0: open confirm rwindow 1024 rmax 4096

Router>

I can accomplish on a Linux box by modifying

the /etc/ssh/sshd_config file. How can

I do the same thing in cisco IOS?

Thanks.

Adam Frederick · ‎12-31-2007

You need sshv2.

I think to completely cover all you want done you need to look at adding a AAA server or look into VPNs for more control.

cisco24x7 · ‎12-31-2007

sshv2? Can you elaborate on this?

AAA or VPNs? Can you also elaborate on this

as well? How will AAA solve my disabling

3des and aes256/md5 issue?

Thanks.