https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4715154#M1094733 <P>I fixed my issue!</P><P><STRONG>Issue:&nbsp;</STRONG>SSH Server Supports Weak Key Exchange Algorithms:22</P><P><STRONG>Fix cli -&nbsp;</STRONG>ip ssh serv alg kex diffie-hellman-group14-sha1</P><P>Make sure you can open another ssh session into your device after you put the command in, so you don't lock yourself out.</P><P>&nbsp;</P><P><STRONG>R</STRONG><STRONG>eccomend to do this also:</STRONG></P><P>ip ssh time-out 15</P><P>ip ssh authentication-retries 2</P><P>ip ssh version 2</P><P>ip ssh server algorithm mac hmac-sha2-256&nbsp;&nbsp;&nbsp; &lt;&lt;&lt;this will have error and can’t use putty if I use a higher one</P><P>ip ssh server algorithm encryption aes256-ctr&nbsp;</P> Wed, 02 Nov 2022 21:04:43 GMT Network713 2022-11-02T21:04:43Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558091#M1087617 <P>A Nessus scan reported several of our devices are allowing weak key exchange algorithms and I have been asked to disable them. I have specifically been asked to disable:</P><PRE><SPAN>diffie-hellman-group-exchange-sha1</SPAN><BR /><SPAN>diffie-hellman-group1-sha1</SPAN></PRE><P><SPAN>on all devices. I've read various posts and I'm still not sure how to do this. I have found devices where the 'show ip ssh' is essentially the same, but one reports the vulnerability and one doesn't. I have been trying to apply:</SPAN></P><PRE><SPAN>crypto key generate rsa label SSH-KEY modulus 2048<BR />ip ssh rsa keypair-name SSH-KEY<BR />ip ssh version 2<BR />ip ssh dh min size 2048<BR />ip ssh server algorithm encryption aes256-ctr<BR />ip ssh server algorithm mac hmac-sha1<BR />line vt 0 15<BR />transport input ssh</SPAN></PRE><P>everywhere, but this doesn't s&nbsp;</P> Wed, 23 Feb 2022 17:01:48 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558091#M1087617 spfister336 2022-02-23T17:01:48Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558101#M1087618 <P>Not sure what is this device here ?</P> <P>&nbsp;</P> <P>Follow below guide to disable :</P> <P>&nbsp;</P> <P><A href="https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html" target="_blank">https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Feb 2022 17:08:46 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558101#M1087618 balaji.bandi 2022-02-23T17:08:46Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558118#M1087619 <P>The devices are mostly stacks of 2960Xs and 4500X VSS pairs. I think I've already applied everything in that link, but I'll go over it again carefully.</P> Wed, 23 Feb 2022 17:20:41 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558118#M1087619 spfister336 2022-02-23T17:20:41Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558129#M1087620 <P>also post the output here for us to understand what keys are there. reset RSA keys by making zero and creating new RSA key with higher bit to be consider.</P> <P>&nbsp;</P> <P>make sure you do using right access method to change RSA in case you like to go with that option</P> <P>&nbsp;</P> Wed, 23 Feb 2022 17:27:03 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558129#M1087620 balaji.bandi 2022-02-23T17:27:03Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558300#M1087622 <P>I can post whatever is needed. Do you need the output from 'show ip ssh'?</P> Wed, 23 Feb 2022 19:15:02 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558300#M1087622 spfister336 2022-02-23T19:15:02Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558444#M1087624 <P>yes also suggest to post show run and show ip ssh</P> Thu, 24 Feb 2022 00:22:21 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4558444#M1087624 balaji.bandi 2022-02-24T00:22:21Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4715154#M1094733 <P>I fixed my issue!</P><P><STRONG>Issue:&nbsp;</STRONG>SSH Server Supports Weak Key Exchange Algorithms:22</P><P><STRONG>Fix cli -&nbsp;</STRONG>ip ssh serv alg kex diffie-hellman-group14-sha1</P><P>Make sure you can open another ssh session into your device after you put the command in, so you don't lock yourself out.</P><P>&nbsp;</P><P><STRONG>R</STRONG><STRONG>eccomend to do this also:</STRONG></P><P>ip ssh time-out 15</P><P>ip ssh authentication-retries 2</P><P>ip ssh version 2</P><P>ip ssh server algorithm mac hmac-sha2-256&nbsp;&nbsp;&nbsp; &lt;&lt;&lt;this will have error and can’t use putty if I use a higher one</P><P>ip ssh server algorithm encryption aes256-ctr&nbsp;</P> Wed, 02 Nov 2022 21:04:43 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4715154#M1094733 Network713 2022-11-02T21:04:43Z https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4719406#M1094987 <P>added 3 of the statements above and it did resolve my ssh failures on scan........thanks for providing a solution</P> Thu, 10 Nov 2022 16:32:59 GMT https://community.cisco.com/t5/network-security/disabling-ssh-weak-key-exchange-algorithms-in-ios/m-p/4719406#M1094987 ronaldrapp7190 2022-11-10T16:32:59Z