Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

disabling ssh Version 1

We have a Security Vendor that performs scans of our Internet facing equipment.

I have a 3825 Cisco ISR facing the Internet.

I have an SSH compliant IOS version running on the router. I also have enabled Version 2 of SSH by implementing the command "ip ssh ver 2" and the router likes the command.

For whatever reason, when the router is scanned, it shows SSH v.1 still open.

How can i turn off V.1? The documentation i have read indicates that v.1 is supposed to be turned off when v.2 is enabled, but that does not seem to be the Case here.

Thanks in advance.

Kevin

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: disabling ssh Version 1

When running just version 1:

R1(config)#ip ssh ver 1

R1#sh ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

When running version 1 and 2 (default)

R1(config)#no ip ssh ver

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

When running version 2:

R1(config)#ip ssh ver 2

R1#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

If you get 2.0 in the output, you should be fine and the scanner is giving you false positive.

__

Edison.

3 REPLIES
Purple

Re: disabling ssh Version 1

What does " show ip ssh " show ???

Hall of Fame Super Bronze

Re: disabling ssh Version 1

When running just version 1:

R1(config)#ip ssh ver 1

R1#sh ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

When running version 1 and 2 (default)

R1(config)#no ip ssh ver

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

When running version 2:

R1(config)#ip ssh ver 2

R1#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

If you get 2.0 in the output, you should be fine and the scanner is giving you false positive.

__

Edison.

New Member

What type of connection can

What type of connection can this be done from?  If I am using ssh to configure the device is there a chance I will loose connectivity when I enter the "no ip ssh ver" command? 

10396
Views
0
Helpful
3
Replies
CreatePlease login to create content