Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.5 - SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication

Our network security testers have identified a vulnerability in our ACS 5.5 system. SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.This algorithms is assumed to be weak by the testers. How can we set the ACS to only use more secure SSH connections?

The SSH command in the CLI doesn't appear to give encryption options.

Thanks.

3 REPLIES
New Member

First of all, how do you

First of all, how do you determine that the ACS server is accepting MD5 and 96-bits MAC algorithms?

I tested on the ACS 5.4 patch 6 and I am not seeing anything for MD5:

CentOS-linux>ssh -m hmac-sha1 -l admin 192.168.1.55
Copyright (c) 2012 Cisco Systems, Inc. All rights Reserved

Password:
Last login: Mon Jun 30 20:30:47 2014 from 150.123.148.239
Copyright (c) 2012 Cisco Systems, Inc. All rights Reserved

acs1/admin# exit
Connection to 192.168.1.55 closed.

CentOS-linux>ssh -m hmac-md5 -l admin 192.168.1.55
no matching mac found: client hmac-md5 server hmac-sha1
CentOS-linux>

 

Where did you that information from, some system scanners?

New Member

Hi, I ran a variation of

Hi, I ran a variation of cciesec2011's command with 8 hmac variations, the results indicate that all of the  encryption levels can be used.

echo | ssh -v -m hmac-sha1 admin@localhost 2>&1 | grep "kex"

 

I substituted -sha1 for md5 , ripemd160, sha1-96 , md5-96, sha2-256 , sha2-512 and umac-64@openssh.com

 

We are still trying to found out how to disable specific low encryption levels within the ACS GUI or command line.

 

New Member

Did you find a solution to

Did you find a solution to this? I am trying to find out how to do this as well.

1813
Views
0
Helpful
3
Replies
CreatePlease to create content