Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
1
Replies

disabling ssh aes256-hmac-md5 and 3des-hmac-md5 on Pix 8.x

cisco24x7
Level 6
Level 6

‎01-05-2008 06:02 AM - edited ‎03-11-2019 04:44 AM

I am currently logging into the Pix 8.0(2) using

ssh version 2. This is my test box:

aaa authentication ssh console ABC LOCAL

aaa accounting ssh console ABC

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

I want to only allow people to ssh into this

pix with AES256-HMAC-SHA1. Furthermore, I want

to disable anyone from ssh into this pix using

either AES256-HMAC-MD5 or 3DES-HMAC-MD5. How

do I go about accomplishing this?

Here is an example:

[root@Linux root]# ssh -v -c 3des -l test1 192.168.1.202

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client 3des-cbc hmac-md5 none

debug1: kex: client->server 3des-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: Next authentication method: password

test1@192.168.1.202's password:

[root@Linux root]# ssh -v -c aes256-cbc -l test1 192.168.1.202

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes256-cbc hmac-md5 none

debug1: kex: client->server aes256-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: Authentications that can continue: password

debug1: Next authentication method: password

test1@192.168.1.202's password:

[root@Linux root]# ssh -v -c aes256-cbc -m hmac-sha1 -l test1 192.168.1.202

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes256-cbc hmac-sha1 none

debug1: kex: client->server aes256-cbc hmac-sha1 none

debug1: Authentications that can continue: password

debug1: Next authentication method: password

test1@192.168.1.202's password:

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card