Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Silver

only allowing users to ssh in with 3DES

I have a cisco router running IOS 12.3,

c2600-ik9o3s3-mz.123-12.bin. I've enabled

ssh on the device so that other administrators can ssh into the device for

administration purposes.

I want to disable the DES feature from the device. In other words, currently

anyone can log into the device with

either DES or 3DES cipher, as seen below:

[root@LinuxES root]# ssh -v -c des -l cisco 192.168.1.1

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 1.5, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2

debug1: Waiting for server public key.

debug1: Received server public key (768 bits) and host key (1024 bits).

debug1: Host '192.168.1.1' is known and matches the RSA1 host key.

debug1: Found key in /root/.ssh/known_hosts:10

debug1: Encryption type: des

debug1: Sent encrypted session key.

Warning: use of DES is strongly discouraged due to cryptographic weaknesses

debug1: Installing crc compensation attack detector.

debug1: Received encrypted confirmation.

debug1: Doing password authentication.

cisco@192.168.1.1's password:

debug1: Requesting pty.

debug1: Requesting X11 forwarding with authentication spoofing.

Warning: Remote host denied X11 forwarding.

debug1: Requesting shell.

debug1: Entering interactive session.

BGP_Trigger>exit

Connection to 192.168.1.1 closed.

debug1: Transferred: stdin 5, stdout 20, stderr 37 bytes in 2.0 seconds

debug1: Bytes per second: stdin 2.5, stdout 9.9, stderr 18.3

debug1: Exit status 0

[root@LinuxES root]# ssh -v -c 3des -l cisco 192.168.1.1

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 1.5, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2

debug1: Waiting for server public key.

debug1: Received server public key (768 bits) and host key (1024 bits).

debug1: Host '192.168.1.1' is known and matches the RSA1 host key.

debug1: Found key in /root/.ssh/known_hosts:10

debug1: Encryption type: 3des

debug1: Sent encrypted session key.

debug1: Installing crc compensation attack detector.

debug1: Received encrypted confirmation.

debug1: Doing password authentication.

cisco@192.168.1.1's password:

debug1: Requesting pty.

debug1: Requesting X11 forwarding with authentication spoofing.

Warning: Remote host denied X11 forwarding.

debug1: Requesting shell.

debug1: Entering interactive session.

BGP_Trigger>exit

Connection to 192.168.1.1 closed.

debug1: Transferred: stdin 5, stdout 20, stderr 37 bytes in 1.0 seconds

debug1: Bytes per second: stdin 4.9, stdout 19.7, stderr 36.4

debug1: Exit status 0

[root@LinuxES root]#

How do go about disabling DES on the system?

I know how to accomplish this with Unix

devices. Not sure if it is possible with

Cisco devices. This is seen as a security risk to me.

Thanks.

CCIE Security

6 REPLIES
Community Member

Re: only allowing users to ssh in with 3DES

If I'm not mistaking, are you talking about the ssh ver? In global config just change it to ver 2..

router(config)#ip ssh version 2

Silver

Re: only allowing users to ssh in with 3DES

What are you talking about?

BGP_Trigger(config)#ip ssh ?

authentication-retries Specify number of authentication retries

break-string break-string

port Starting (or only) Port number to listen on

rsa Configure RSA keypair name for SSH

source-interface Specify interface for source address in SSH connections

time-out Specify SSH time-out interval

BGP_Trigger(config)#ip ssh

The feature you're talking about is in

12.3T, 12.4 and later.

Furthermore, I just want to disable des ssh

login, not changing it to version 2.

CCIE Security

Gold

Re: only allowing users to ssh in with 3DES

ssh version 2 does not even support DES, so changing your config to "ip ssh version 2" seems to solve your problem - like adam said.

If your IOS version doesn't support version 2, then you probably need to upgrade it.

Silver

Re: only allowing users to ssh in with 3DES

Let me re-phrase my question a little differently:

1- How can I disable users from ssh into

the router with 3des? I only want users

to ssh into my device with aes256?

2- I want users to login with only AES256/sha-1

only. I do not want to use aes256/md5, as

seen below:

[root@Linux]# ssh -v -c aes256-cbc -l cisco 192.168.1.1

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes256-cbc hmac-md5 none

debug1: kex: client->server aes256-cbc hmac-md5 none

debug1: dh_gen_key: priv key bits set: 243/512

debug1: bits set: 500/1024

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Host '192.168.1.1' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:4

debug1: bits set: 522/1024

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: cipher_init: set keylen (16 -> 32)

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: cipher_init: set keylen (16 -> 32)

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: password

debug1: next auth method to try is password

cisco@192.168.1.1's password:

debug1: ssh-userauth2 successful: method password

debug1: channel 0: new [client-session]

debug1: send channel open 0

debug1: Entering interactive session.

debug1: ssh_session2_setup: id 0

debug1: channel request 0: pty-req

debug1: channel request 0: shell

debug1: fd 3 setting TCP_NODELAY

debug1: channel 0: open confirm rwindow 1024 rmax 4096

Router>

I can accomplish on a Linux box by modifying

the /etc/ssh/sshd_config file. How can

I do the same thing in cisco IOS?

Thanks.

Community Member

Re: only allowing users to ssh in with 3DES

You need sshv2.

I think to completely cover all you want done you need to look at adding a AAA server or look into VPNs for more control.

Silver

Re: only allowing users to ssh in with 3DES

sshv2? Can you elaborate on this?

AAA or VPNs? Can you also elaborate on this

as well? How will AAA solve my disabling

3des and aes256/md5 issue?

Thanks.

320
Views
0
Helpful
6
Replies
CreatePlease to create content