topic Re: SSH Weak Key Exchange Algorithms Enabled in Catalyst 3850 48 Port in Network Security https://community.cisco.com/t5/network-security/ssh-weak-key-exchange-algorithms-enabled-in-catalyst-3850-48/m-p/5210033#M1116637 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1651040">@Minato</a> you may need to upgrade your IOS-XE version to support the latest crypto. Use the following commands:-</P> <PRE>ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256 ip ssh server algorithm encryption aes256-gcm aes256-ctr aes192-ctr aes128-gcm ip ssh server algorithm kex ecdh-sha2-nistp384 ecdh-sha2-nistp256</PRE> <P>This post covers securing IOS-XE SSH in more detail - <A href="https://integrate.uk.com/securing-ios-xe-ssh/" target="_blank">https://integrate.uk.com/securing-ios-xe-ssh/</A></P> <P>&nbsp;</P> Thu, 17 Oct 2024 06:44:56 GMT Rob Ingram 2024-10-17T06:44:56Z SSH Weak Key Exchange Algorithms Enabled in Catalyst 3850 48 Port PoE https://community.cisco.com/t5/network-security/ssh-weak-key-exchange-algorithms-enabled-in-catalyst-3850-48/m-p/5209970#M1116635 <P><SPAN>Cisco switch Catalyst 3850 48 Port PoE - Vulnerability</SPAN></P><P>can any one help me to fix the issue</P><P>test#sh ip ssh<BR />SSH Enabled - version 2.0<BR />Authentication methods:publickey,keyboard-interactive,password<BR />Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,rsa-sha2-256,rsa-sha2-512<BR />Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa<BR />Encryption Algorithms:aes256-ctr,aes128-ctr<BR />MAC Algorithms:hmac-sha1<BR />KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1<BR />Authentication timeout: 120 secs; Authentication retries: 3<BR />Minimum expected Diffie Hellman key size : 2048 bits<BR />IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1611723854<BR />ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDDVe73ODoAh3O6V8eWto+k4oqGyoHIr6RYQOikubUy<BR />qcNg4rG38y2zd/8lBXEal4kNwN6mfVZ2XiijcFMJdkO8csLfATMQETm2Z4yLcHZQNaTTHcxWsudxbBSd<BR />tXZscw4Ysg1vyah3BEx1RhJWcHagVh+xl/BJXnzy/3xcU6SXvw==<BR />test#</P> Thu, 17 Oct 2024 04:40:07 GMT https://community.cisco.com/t5/network-security/ssh-weak-key-exchange-algorithms-enabled-in-catalyst-3850-48/m-p/5209970#M1116635 Minato 2024-10-17T04:40:07Z Re: SSH Weak Key Exchange Algorithms Enabled in Catalyst 3850 48 Port https://community.cisco.com/t5/network-security/ssh-weak-key-exchange-algorithms-enabled-in-catalyst-3850-48/m-p/5210033#M1116637 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1651040">@Minato</a> you may need to upgrade your IOS-XE version to support the latest crypto. Use the following commands:-</P> <PRE>ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256 ip ssh server algorithm encryption aes256-gcm aes256-ctr aes192-ctr aes128-gcm ip ssh server algorithm kex ecdh-sha2-nistp384 ecdh-sha2-nistp256</PRE> <P>This post covers securing IOS-XE SSH in more detail - <A href="https://integrate.uk.com/securing-ios-xe-ssh/" target="_blank">https://integrate.uk.com/securing-ios-xe-ssh/</A></P> <P>&nbsp;</P> Thu, 17 Oct 2024 06:44:56 GMT https://community.cisco.com/t5/network-security/ssh-weak-key-exchange-algorithms-enabled-in-catalyst-3850-48/m-p/5210033#M1116637 Rob Ingram 2024-10-17T06:44:56Z