topic Thanks Ashish. 3DES-AWS is in Network Access Control

Moving to SSH version 2 from compatible mode - Do i need to re-generate keys?

ramesh.8901 — Mon, 11 Mar 2019 07:42:15 GMT

Hi All,

On my ASAs (5545 - version 9.5(2)), i am trying to move from the compatible version and forcing it to only version 2. Is there something that i need to take care of while doing this so that i don't get locked out? Do i need to re-generate the ssh keys once i do this?

I do not have console access to these ASAs, so i want to make sure that i do this right. Please can someone advise?

Here's the output for ssh on my firewall:

sh ssh
Timeout: 60 minutes
Versions allowed: 1 and 2

sh run aaa
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL

Thanks!

Make sure you have following

Ashish Jhaldiyal — Mon, 08 May 2017 19:26:08 GMT

Make sure you have following

-3DES-AES license is enabled

-Make sure SSH keys are above 768 if not re-generate.

-command to enable ssh V2 is below "ssh version 2"

-SSH client should support V2

you can also perform these changes from ASDM by going to Configuration>Device Management>Management access>ASDM/HTTPS/Telnet/SSH -- change allowed version to 2 only

Ashish

Thanks Ashish. 3DES-AWS is

ramesh.8901 — Mon, 08 May 2017 22:04:59 GMT

Thanks Ashish. 3DES-AWS is enabled, but how do i check if the ssh keys are above 768? Also what does that exactly mean?

And yes ssh version 2 is supported.

Ignore it, I just tested ssh

Ashish Jhaldiyal — Mon, 08 May 2017 22:52:28 GMT

Ignore it, I just tested ssh v 2 with 512 key length and it works fine..

So all you need is

3des license

ssh version 2

client which supports ssh version 2

For security 2048 is

Ashish Jhaldiyal — Mon, 08 May 2017 23:47:05 GMT

For security 2048 is recommended.

Here is a guide for enabling

Karsten Iwen — Tue, 09 May 2017 06:43:57 GMT

Here is a guide for enabling SSH:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

Thanks Karsten. I did take a

ramesh.8901 — Tue, 09 May 2017 23:38:05 GMT

Thanks Karsten. I did take a look at this document when i was googling for answers before putting this question up over here. It's really good! I was however wondering in my case, how do i go about check to see how i can go about looking at the length of the RSA keys i have an more importantly if i would have to renegotiate the keys is force to SSH version 2 from the compatible mode.