I'm trying to turn off SSH version 1 & 2 to pass PCI compliance. Problem is, I cannot touch the VPN link between the two offices. I'm afraid the PKI certificate used for the VPN will be deleted if i zeroize the RSA key which seems to be the only way to stop the router responding on port 22.
Here is the stuff from the running config related to the crypto map:
I'm only CCNA so I'm not even sure if the certificate or RSA key is being used for the VPN link, but I can't tell from the running config that zeroizing it would be a good idea and not break the VPN.
I'm open to other ways of disabling SSH, as we are able to just connect using a console cable. But it looks like denying port 22 with an access-list doesn't even stop the router from responding to the port...
When you say that you want to eliminate SSH on the router does that mean that you want to have no remote access to the router? The suggestion of transport input none will result in no remote access. If that is what you want then it is a good suggestion. If you want some remote access, then what kind of remote access do you want to allow? When we know that we can give you better advice about what to do.
% Key pair was generated at: 22:51:11 UTC Jul 13 2010
Key name: TP-self-signed-4087584599
Usage: General Purpose Key
Key is not exportable.
% Key pair was generated at: 17:32:34 UTC Aug 23 2012
Key name: TP-self-signed-4087584599.server
Usage: Encryption Key
Key is not exportable.
Here is the output of the command "show crypto key mypubkey rsa".
I already have transport set to none, the port is still open however, even though trying to connect will give you a timeout.
We use teamviewer to remote into server, then use COM1 to get to the router, which is not ideal if you accadentally bring it down the internet, but I'm very wary about doing anything that might do that, or touch the VPN connection. Hence the reservation about zeroizing the RSA key and deleting those Certs.
output of "crypto key zeroize rsa":
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...