topic Re: SSH Weak Ciphers in Network Security

SSH Weak Ciphers

NMS2 — Sun, 31 Aug 2025 10:38:07 GMT

Hello, I have two routers 1121X and 4221, and when i tried the penetration testing, i got the result below:

# algorithm recommendations (for Cisco IOS/PIX sshd 1.25)

(rec) -diffie-hellman-group-exchange-shal kex algorithm to remove

(rec) -diffie-hellman-group14-shal kex algorithm to remove

(rec) -hmac-shal mac algorithm to remove

(rec) -hmac-sha1-96 mac algorithm to remove

(rec) -ssh-rsa key algorithm to remove

(rec) -hmac-sha2-256 mac algorithm to remove

(rec) -hmac-sha2-512 mac algorithm to remove

the bold lines already solved i need to solve the last one.

here is some shows from my router 1121X

Cisco IOS XE Software, Version 17.09.05a

Cisco IOS Software [Cupertino], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.9.5a, RELEASE SOFTWARE (fc1)

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Authentication Publickey Algorithms:ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384

Hostkey Algorithms:rsa-sha2-512

Encryption Algorithms:aes256-gcm,aes256-ctr

MAC Algorithms:hmac-sha2-512

KEX Algorithms:ecdh-sha2-nistp521

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 4096 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded): RSA-SHA2

Modulus Size : 4096 bits

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmK1tGkBUiKY6KJS38Y1+Si654tX+NG+HYH1HNWQv7

4OBmY4spkvgkM/EVkVLl+GKEvqr8XhIVGaVTiC56o3EkAQEIKxQVVaMVDlky07hPjFfRpyLIBwtirw7n

ngn9OsUvtUArMYbCDyEr+EAEEhmYaKUq24bBIUYU3WAQjoUAK2VxjlhM0fCwk1vBzmEo2LAtHjLKVNLS

Y0Mqk/VBb3F3DCYREhlXx4k7CIRHIpx8A/vq3n04jJNviMFIi37K8IK6z5ErBXQACoh68S1ziNOGPrhn

QjmmdPpsawhk8wxZRq9/JbF93kmVuR4WvbOML8YRqmk6nkZG2Xqz7EyU+9oovdWzZY5ZmvojO3O6XA7C

QvLQQ3I1U6CTkhfIaotgg3ysHbtiw6qry5nuIu4db0xVx1VKdrb0Zx/+VlHpUn/wPl40Wt4Pthulon2m

Br8TrKHoJcmTglcKIx4lSROkWmQY1UJEcMcACs0R+CutZLZifMEHvkQToW/2aH6dYyqWh8Uq3d0f9oov

ShIjKkpeM/S0lLDWPagZeijIY2pDv1hwl90W6wxB8AR1GYINo8AjH38269QmL6zQCSak8VpxKQ8dsO92

lFW10sxN7PLQvqXatuf1gu84/I+zsdLUwFZXHmUFHNOqkygYuvSYT7srz76PKhCvCNjWa8oh7M4F9Zti

Re: SSH Weak Ciphers

MHM Cisco World — Sun, 31 Aug 2025 10:44:24 GMT

ip ssh server algorithm hostkey <<- what option available in this command?

MHM

Re: SSH Weak Ciphers

Jens Albrecht — Sun, 31 Aug 2025 17:00:37 GMT

Hello @NMS2,

the typical options on IOS-XE routers are the following:

Rtr01(config)#ip ssh server algorithm mac ? hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits) hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits) hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits) hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits) hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits) Rtr01(config)#

So which one do you want to use? HMAC-SHA2-512-ETM?
Once you enabled this, you can remove HMAC-SHA2-512.

HTH!

Re: SSH Weak Ciphers

MHM Cisco World — Sun, 31 Aug 2025 21:15:05 GMT

ip ssh server algorithm mac ?

Share output of this

If max is

Hmac-sha2-512 <<- then it routers limitations

If routers run (Encrypt-then-MAC) ETM then run it' it more secure.

MHM

Re: SSH Weak Ciphers

NMS2 — Mon, 01 Sep 2025 08:51:50 GMT

i already use hmac-sha2-512, but the penetration test result is
(rec) -hmac-sha2-512 mac algorithm to remove

this is the higher KEY for hmac.

any solution

Re: SSH Weak Ciphers

NMS2 — Mon, 01 Sep 2025 08:53:01 GMT

ip ssh server algorithm mac ?
  hmac-sha1                      HMAC-SHA1 (digest length = 160 bits,key length
                                 = 160 bits)
  hmac-sha2-256                  HMAC-SHA2-256 (digest length = 256 bits, key
                                 length = 256 bits)
  hmac-sha2-256-etm@openssh.com  HMAC-SHA2-256-ETM (digest length = 256 bits,
                                 key length = 256 bits)
  hmac-sha2-512                  HMAC-SHA2-512 (digest length = 512 bits, key
                                 length = 512 bits)
  hmac-sha2-512-etm@openssh.com  HMAC-SHA2-512-ETM (digest length = 512 bits,
                                 key length = 512 bits)

Re: SSH Weak Ciphers

MHM Cisco World — Mon, 01 Sep 2025 10:09:17 GMT

hmac-sha2-512-etm@openssh.com

Use this

MHM

Re: SSH Weak Ciphers

NMS2 — Mon, 01 Sep 2025 13:24:48 GMT

it has the same digest length, so the problem will still exist.

Re: SSH Weak Ciphers

NMS2 — Mon, 01 Sep 2025 13:27:44 GMT

the test result need to remove hmac-sha2-512 to a large key, i can't find in my router any lagre key, the two keys with ETM has the same digest length

Re: SSH Weak Ciphers

MHM Cisco World — Mon, 01 Sep 2025 13:27:53 GMT

It true it have same digest 512 but it encrypt first so it more strong.

Use it and let test decided it weak or not

MHM

Re: SSH Weak Ciphers

Jens Albrecht — Mon, 01 Sep 2025 15:59:34 GMT

What's the problem with HMAC-SHA2-512-ETM?

This algorithm is considered secure as of today and is recommended for use in SSH and other cryptographic protocols that require strong message authentication codes (MACs).

The ETM (Encrypt-then-MAC) construction further hardens the protocol against certain exploits, such as padding oracle attacks and length extension attacks.

So what are your looking for?

SHA3 algorithms? AEAD ciphers? Quantum-resistant encryption?

The routers you are using are pretty old and the 4221 already reached EOL so Cisco will not provide any new software version for this platform. These old hardware platforms simply do not support anything beyond what is offered now.

The solution is simple.

Scrap your routers and buy the new Cisco Secure Series routers that have just been launched a few months ago.

These routers have new hardware that is build to support future-proof branch security with advanced, quantum-resistant encryption.

The Cisco 8100 Series Secure Routers Data Sheet can be found here:
https://www.cisco.com/site/us/en/products/collateral/networking/sdwan-routers/8000-secure-routers/8100-series-secure-routers-ds.html

Of course, there are also more powerful models with the 8200/8300 Series Secure routers. The first link above leads to the data sheets for each series. Be careful not to mix them up with the old 8200/8300 Series routers (that's why I put the 'Secure' in bold).

...and a final note.
These brand-new routers will be shipped with the same algorithms supported as of now. The hardware does support PQC security but the first software versions with quantum-resistant encryption are expected to be released some time next year. So patience is your best friend.

HTH!

Re: SSH Weak Ciphers

NMS2 — Sat, 06 Sep 2025 12:44:45 GMT

I replaced 4221 with 1121X router in support, and the IOS has been upgraded to the latest.

i have no problems with HMAC-SHA2-512-ETM, but it will not solve the scanner issue.