Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSH Algorithm

Hello

Our internal network security team has idntified Vulnerability regarding the SSH server within the catalyst switches.As per the Vulnerability team SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.These Algorithms are assumed to be weak by

Vulnerability team

Is there any way by which we can change the alogorithms used between SSH server (switch) and client...From the CLI can we change the alogorithm used in this communication.

Kindly suggest.

  • Security Management
1 ACCEPTED SOLUTION

Accepted Solutions

SSH Algorithm

That is correct.

9 REPLIES

SSH Algorithm

Have you enabled SSHv2?

New Member

SSH Algorithm

Hello

Ssh is already enabled and is working..this is the vulnerability found by security team during their assessment.just wanted to understand weather the option is available from CLI to configure /change auth algorithms used between Client-server ssh communication.

SSH Algorithm

Have you enabled SSHv2 or are you running version 1?

New Member

SSH Algorithm

SSH-V2 already enabled  and working.

Re: SSH Algorithm

You will need to change the algorithm in your SSH client. There is no way to do it on the server side.

You can view the encrpytion with show ssh when you're connected.

Hope it helps.

New Member

Re: SSH Algorithm

Hello

so i need to change the algorithms in my SSH client like the Putty client i used for initiating ssh connection..

the output of show ssh is mentioned below

OLD-1F-192.8#show ssh

%No SSHv1 server connections running.

Connection Version Mode Encryption  Hmac State               Username

0          2.0     IN   aes256-cbc  hmac-sha1    Session started       a548464

0          2.0     OUT  aes256-cbc  hmac-sha1    Session started       a548464

so here the Hmac state(hmac-sha1) defined is one  supported by the switch right?

vulnerability team has concern about hmac-md5 &hmac-md5-96 wherein hmac-sha1 is ok for them..

please confirm..

Re: SSH Algorithm

Yes the current connections are using SHA1. Correct you would change it Putty if that is what you use. I use SecureCRT and here's a screenshot of how I can set what encryption to use.

New Member

SSH Algorithm

Hello

last query is

so the output of show ssh is showing the MAC used from the SSH clinet and this output will change depending on the ssh client configuration and this has nothing to do with SSH server configuration which is the catalayst switch and no way we can change the encrption/auth algorithms to be used by SSH server ( catalyst switch)..

Many Thanks for your help.

SSH Algorithm

That is correct.

3941
Views
10
Helpful
9
Replies