Solved: SSH Algorithm

sameermunj · ‎01-06-2014

Hello

Our internal network security team has idntified Vulnerability regarding the SSH server within the catalyst switches.As per the Vulnerability team SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.These Algorithms are assumed to be weak by

Vulnerability team

Is there any way by which we can change the alogorithms used between SSH server (switch) and client...From the CLI can we change the alogorithm used in this communication.

Kindly suggest.

Collin Clark · ‎01-06-2014

That is correct.

View solution in original post

Collin Clark · ‎01-06-2014

Have you enabled SSHv2?

sameermunj · ‎01-06-2014

Hello

Ssh is already enabled and is working..this is the vulnerability found by security team during their assessment.just wanted to understand weather the option is available from CLI to configure /change auth algorithms used between Client-server ssh communication.

Collin Clark · ‎01-06-2014

Have you enabled SSHv2 or are you running version 1?

sameermunj · ‎01-06-2014

SSH-V2 already enabled and working.

Collin Clark · ‎01-06-2014

You will need to change the algorithm in your SSH client. There is no way to do it on the server side.

You can view the encrpytion with show ssh when you're connected.

Hope it helps.

sameermunj · ‎01-06-2014

Hello

so i need to change the algorithms in my SSH client like the Putty client i used for initiating ssh connection..

the output of show ssh is mentioned below

OLD-1F-192.8#show ssh

%No SSHv1 server connections running.

Connection Version Mode Encryption Hmac State Username

0 2.0 IN aes256-cbc hmac-sha1 Session started a548464

0 2.0 OUT aes256-cbc hmac-sha1 Session started a548464

so here the Hmac state(hmac-sha1) defined is one supported by the switch right?

vulnerability team has concern about hmac-md5 &hmac-md5-96 wherein hmac-sha1 is ok for them..

please confirm..

Collin Clark · ‎01-06-2014

Yes the current connections are using SHA1. Correct you would change it Putty if that is what you use. I use SecureCRT and here's a screenshot of how I can set what encryption to use.

sameermunj · ‎01-06-2014

Hello

last query is

so the output of show ssh is showing the MAC used from the SSH clinet and this output will change depending on the ssh client configuration and this has nothing to do with SSH server configuration which is the catalayst switch and no way we can change the encrption/auth algorithms to be used by SSH server ( catalyst switch)..

Many Thanks for your help.

Collin Clark · ‎01-06-2014

That is correct.

Robert Burlingame · ‎03-03-2021

All due respect, I don't think this statement is accurate (Hopefully, I didn't misunderstand the issue.):
"You will need to change the algorithm in your SSH client. There is no way to do it on the server side."

If I look at the ssh server MAC algorithms, I can see hmac-sha1-96 enabled:

LAB1-F3-DL1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96

I can restrict those methods with this command:

LAB1-F3-DL1(config)#ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512

LAB1-F3-DL1(config)#
LAB1-F3-DL1(config)#end
LAB1-F3-DL1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512