2821 ISR - ssh2

cdcjim2877 · ‎04-27-2009

Hi,

I would like to know if the following IOS version only supports ssh v.1.99 or if it supports true ssh v.2.

The IOS is 12.4(13r)T

Our Nessus scans continue to kick back the vulnerability due to the 1.99 option which allows version 1 ssh connections. I believe we may have purchased the incorrect IOS image for the router.

If not, how do I allow the router to only accept version 2 connections?

ip ssh version 2.0 at the CLI continues to report back as v1.99

thanks,

Jim

davy.timmermans · ‎04-27-2009

Can you try if the following command is supported:

(config)#ip ssh version 2

Richard Burts · ‎04-27-2009

Jim

Release 12.4T should support SSH version 2, assuming that it supports SSH.

I have seen a couple of situations where IOS seems to have gotten confused and was not enabling version 2 as desired. If that is your case I would suggest that you remove the version 2 specification (no ip ssh version 2), then regenerate the RSA keys used for SSH (perhaps zeroize the key and then regenerate it is you want to be very thorough), then enable version 2 with ip ssh version 2. I have seen situations where doing this did resolve the issue. I do not know if that is your issue but it would be worth trying.

HTH

Rick

HTH

Rick

cdcjim2877 · ‎04-27-2009

Once I stepped through the your comments on the router, version 2 (only, not v1.99) now shows.

I have also tested by trying to connect via SSH 1 client and am not able to connect.

thanks,

Jim

Richard Burts · ‎04-27-2009

Jim

I am glad that my suggestions were able to help you to resolve your issue.

HTH

Rick

HTH

Rick

cdcjim2877 · ‎04-27-2009

Yes, command is supported.

Edison Ortiz · ‎04-27-2009

v1.99 is the default SSH output when running v1 and v2. I've covered the outputs you get for each version on this thread http://tinyurl.com/c7uydc

Can you post the output from typing show version?

__

Edison.

cdcjim2877 · ‎04-27-2009

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3i), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 28-Nov-07 21:09 by stshen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

TT_HQ_2821_CR_1 uptime is 1 week, 2 days, 3 hours, 39 minutes

System returned to ROM by power-on

System image file is "flash:c2800nm-advipservicesk9-mz.124-3i.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 2821 (revision 53.51) with 247808K/14336K bytes of memory.

Processor board ID FTX1221A2MM

2 Gigabit Ethernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

bretjaquish · ‎04-27-2009

Edison is right.

Version 1.99 = Mixed Mode SSHv1&2

Version 1.50 = Only SSHv1

Version 2.00 = Only SSHv2