12-30-2007 04:53 AM - edited 03-12-2019 05:55 PM
I have a cisco router running IOS 12.3,
c2600-ik9o3s3-mz.123-12.bin. I've enabled
ssh on the device so that other administrators can ssh into the device for
administration purposes.
I want to disable the DES feature from the device. In other words, currently
anyone can log into the device with
either DES or 3DES cipher, as seen below:
[root@LinuxES root]# ssh -v -c des -l cisco 192.168.1.1
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.5, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host '192.168.1.1' is known and matches the RSA1 host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug1: Encryption type: des
debug1: Sent encrypted session key.
Warning: use of DES is strongly discouraged due to cryptographic weaknesses
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
cisco@192.168.1.1's password:
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
Warning: Remote host denied X11 forwarding.
debug1: Requesting shell.
debug1: Entering interactive session.
BGP_Trigger>exit
Connection to 192.168.1.1 closed.
debug1: Transferred: stdin 5, stdout 20, stderr 37 bytes in 2.0 seconds
debug1: Bytes per second: stdin 2.5, stdout 9.9, stderr 18.3
debug1: Exit status 0
[root@LinuxES root]# ssh -v -c 3des -l cisco 192.168.1.1
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.5, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host '192.168.1.1' is known and matches the RSA1 host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
cisco@192.168.1.1's password:
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
Warning: Remote host denied X11 forwarding.
debug1: Requesting shell.
debug1: Entering interactive session.
BGP_Trigger>exit
Connection to 192.168.1.1 closed.
debug1: Transferred: stdin 5, stdout 20, stderr 37 bytes in 1.0 seconds
debug1: Bytes per second: stdin 4.9, stdout 19.7, stderr 36.4
debug1: Exit status 0
[root@LinuxES root]#
How do go about disabling DES on the system?
I know how to accomplish this with Unix
devices. Not sure if it is possible with
Cisco devices. This is seen as a security risk to me.
Thanks.
CCIE Security
12-30-2007 09:07 AM
If I'm not mistaking, are you talking about the ssh ver? In global config just change it to ver 2..
router(config)#ip ssh version 2
12-30-2007 09:21 AM
What are you talking about?
BGP_Trigger(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH connections
time-out Specify SSH time-out interval
BGP_Trigger(config)#ip ssh
The feature you're talking about is in
12.3T, 12.4 and later.
Furthermore, I just want to disable des ssh
login, not changing it to version 2.
CCIE Security
12-30-2007 09:27 PM
ssh version 2 does not even support DES, so changing your config to "ip ssh version 2" seems to solve your problem - like adam said.
If your IOS version doesn't support version 2, then you probably need to upgrade it.
12-31-2007 07:03 AM
Let me re-phrase my question a little differently:
1- How can I disable users from ssh into
the router with 3des? I only want users
to ssh into my device with aes256?
2- I want users to login with only AES256/sha-1
only. I do not want to use aes256/md5, as
seen below:
[root@Linux]# ssh -v -c aes256-cbc -l cisco 192.168.1.1
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes256-cbc hmac-md5 none
debug1: kex: client->server aes256-cbc hmac-md5 none
debug1: dh_gen_key: priv key bits set: 243/512
debug1: bits set: 500/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '192.168.1.1' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: bits set: 522/1024
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: cipher_init: set keylen (16 -> 32)
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: cipher_init: set keylen (16 -> 32)
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: password
debug1: next auth method to try is password
cisco@192.168.1.1's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 1024 rmax 4096
Router>
I can accomplish on a Linux box by modifying
the /etc/ssh/sshd_config file. How can
I do the same thing in cisco IOS?
Thanks.
12-31-2007 07:42 AM
You need sshv2.
I think to completely cover all you want done you need to look at adding a AAA server or look into VPNs for more control.
12-31-2007 07:59 AM
sshv2? Can you elaborate on this?
AAA or VPNs? Can you also elaborate on this
as well? How will AAA solve my disabling
3des and aes256/md5 issue?
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: