01-06-2014 03:29 AM - edited 02-21-2020 05:04 AM
Hello
Our internal network security team has idntified Vulnerability regarding the SSH server within the catalyst switches.As per the Vulnerability team SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.These Algorithms are assumed to be weak by
Vulnerability team
Is there any way by which we can change the alogorithms used between SSH server (switch) and client...From the CLI can we change the alogorithm used in this communication.
Kindly suggest.
Solved! Go to Solution.
01-06-2014 10:08 AM
That is correct.
01-06-2014 07:49 AM
Have you enabled SSHv2?
01-06-2014 08:43 AM
Hello
Ssh is already enabled and is working..this is the vulnerability found by security team during their assessment.just wanted to understand weather the option is available from CLI to configure /change auth algorithms used between Client-server ssh communication.
01-06-2014 08:45 AM
Have you enabled SSHv2 or are you running version 1?
01-06-2014 08:47 AM
SSH-V2 already enabled and working.
01-06-2014 08:59 AM
You will need to change the algorithm in your SSH client. There is no way to do it on the server side.
You can view the encrpytion with show ssh when you're connected.
Hope it helps.
01-06-2014 09:35 AM
Hello
so i need to change the algorithms in my SSH client like the Putty client i used for initiating ssh connection..
the output of show ssh is mentioned below
OLD-1F-192.8#show ssh
%No SSHv1 server connections running.
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started a548464
0 2.0 OUT aes256-cbc hmac-sha1 Session started a548464
so here the Hmac state(hmac-sha1) defined is one supported by the switch right?
vulnerability team has concern about hmac-md5 &hmac-md5-96 wherein hmac-sha1 is ok for them..
please confirm..
01-06-2014 09:40 AM
Yes the current connections are using SHA1. Correct you would change it Putty if that is what you use. I use SecureCRT and here's a screenshot of how I can set what encryption to use.
01-06-2014 09:47 AM
Hello
last query is
so the output of show ssh is showing the MAC used from the SSH clinet and this output will change depending on the ssh client configuration and this has nothing to do with SSH server configuration which is the catalayst switch and no way we can change the encrption/auth algorithms to be used by SSH server ( catalyst switch)..
Many Thanks for your help.
01-06-2014 10:08 AM
That is correct.
03-03-2021 09:40 AM
All due respect, I don't think this statement is accurate (Hopefully, I didn't misunderstand the issue.):
"You will need to change the algorithm in your SSH client. There is no way to do it on the server side."
If I look at the ssh server MAC algorithms, I can see hmac-sha1-96 enabled:
LAB1-F3-DL1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
I can restrict those methods with this command:
LAB1-F3-DL1(config)#ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
LAB1-F3-DL1(config)#
LAB1-F3-DL1(config)#end
LAB1-F3-DL1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: