Our internal network security team has idntified Vulnerability regarding the SSH server within the catalyst switches.As per the Vulnerability team SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.These Algorithms are assumed to be weak by
Is there any way by which we can change the alogorithms used between SSH server (switch) and client...From the CLI can we change the alogorithm used in this communication.
Solved! Go to Solution.
Ssh is already enabled and is working..this is the vulnerability found by security team during their assessment.just wanted to understand weather the option is available from CLI to configure /change auth algorithms used between Client-server ssh communication.
You will need to change the algorithm in your SSH client. There is no way to do it on the server side.
You can view the encrpytion with show ssh when you're connected.
Hope it helps.
so i need to change the algorithms in my SSH client like the Putty client i used for initiating ssh connection..
the output of show ssh is mentioned below
%No SSHv1 server connections running.
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started a548464
0 2.0 OUT aes256-cbc hmac-sha1 Session started a548464
so here the Hmac state(hmac-sha1) defined is one supported by the switch right?
vulnerability team has concern about hmac-md5 &hmac-md5-96 wherein hmac-sha1 is ok for them..
Yes the current connections are using SHA1. Correct you would change it Putty if that is what you use. I use SecureCRT and here's a screenshot of how I can set what encryption to use.
last query is
so the output of show ssh is showing the MAC used from the SSH clinet and this output will change depending on the ssh client configuration and this has nothing to do with SSH server configuration which is the catalayst switch and no way we can change the encrption/auth algorithms to be used by SSH server ( catalyst switch)..
Many Thanks for your help.