https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327607#M1122592 <P>Hi Jens, Thanks for replying.<BR /><BR />My main issue and the reason I reached out is because the switch is not recognizing these commands. As shown Below. I am unaware of what exactly would be causing this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ClayKoldenRTC_0-1757098560676.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/251466i7E4FADCCD7345200/image-size/medium?v=v2&amp;px=400" role="button" title="ClayKoldenRTC_0-1757098560676.png" alt="ClayKoldenRTC_0-1757098560676.png" /></span></P><P>&nbsp;</P> Fri, 05 Sep 2025 18:56:28 GMT Clay Kolden - RTC 2025-09-05T18:56:28Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327590#M1122589 <P><BR />Our CISCO 9300 Catalyst switch has a weak SSH algorithms like KEX and MAC ciphers. Specifically the ones listed below and replace them with non-deprecated algorithms. The instructions I have found have been misleading and commands are inaccurate. Any advice would be greatly appreciated.<BR />KEX:<BR />diffie-hellman-group-exchange-sha1 (2048-bit)</P><P>diffie-hellman-group14-sha1<BR /><BR />MAC:<BR />hmac-sha1</P><P>hmac-sha1-96</P> Fri, 05 Sep 2025 17:35:33 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327590#M1122589 Clay Kolden - RTC 2025-09-05T17:35:33Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327593#M1122590 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1916377">@Clay Kolden - RTC</a>,</P> <P>you can use the following commands to add or delete algorithms:</P> <LI-CODE lang="markup">Sw01(config)#ip ssh server algorithm ? authentication User authentication methods advertised to client encryption Encrytption algorithms advertised to other party hostkey Hostkey publickey algorithms advertised to client kex KEX algorithms advertised to other party mac MAC algorithms advertised to other party publickey Acceptable publickey algorithms for User authentication</LI-CODE> <P>For the KEX and MAC algorithms you have many options:</P> <LI-CODE lang="markup">Sw01(config)#ip ssh server algorithm kex ? curve25519-sha256 Curve 25519 key exchange algorithm curve25519-sha256@libssh.org Curve 25519 key exchange algorithm old name diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm diffie-hellman-group14-sha256 DH_GRP14_SHA256 diffie-hellman key exchange algorithm diffie-hellman-group16-sha512 DH_GRP16_SHA512 diffie-hellman key exchange algorithm ecdh-sha2-nistp256 ECDH_SHA2_P256 ecdh key exchange algorithm ecdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm Sw01(config)#ip ssh server algorithm mac ? hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits) hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits) hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits) hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits) hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits) Sw01(config)#</LI-CODE> <P>Options might vary with the software version you use, but you can adjust those algorithms as needed.</P> <P>HTH!</P> Fri, 05 Sep 2025 17:50:31 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327593#M1122590 Jens Albrecht 2025-09-05T17:50:31Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327599#M1122591 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1916377">@Clay Kolden - RTC</a>&nbsp;<BR /><BR /></P> <P data-start="22" data-end="106">On IOS-XE you remove weak SSH options by explicitly defining the strong ones. Use:</P> <UL data-start="108" data-end="291"> <LI data-start="108" data-end="185"> <P data-start="110" data-end="185"><CODE data-start="110" data-end="141">ip ssh server algorithm kex …</CODE> → pick only DH-group16/18 or ECDH (sha2).</P> </LI> <LI data-start="186" data-end="255"> <P data-start="188" data-end="255"><CODE data-start="188" data-end="219">ip ssh server algorithm mac …</CODE> → allow only hmac-sha2 (256/512).</P> </LI> <LI data-start="256" data-end="291"> <P data-start="258" data-end="291">Optionally set AES-CTR ciphers.</P> </LI> </UL> <P data-start="293" data-end="383">After that, <CODE data-start="305" data-end="335">show ip ssh server algorithm</CODE> will confirm SHA1 and old DH groups are gone.</P> <P data-start="385" data-end="424">–––<BR data-start="388" data-end="391" />Best regards,<BR data-start="404" data-end="407" />Stefan Mihajlov</P> <P data-start="426" data-end="524" data-is-last-node="" data-is-only-node=""><EM data-start="426" data-end="524" data-is-last-node="">Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.</EM></P> Fri, 05 Sep 2025 18:47:42 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327599#M1122591 Stefan Mihajlov 2025-09-05T18:47:42Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327607#M1122592 <P>Hi Jens, Thanks for replying.<BR /><BR />My main issue and the reason I reached out is because the switch is not recognizing these commands. As shown Below. I am unaware of what exactly would be causing this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ClayKoldenRTC_0-1757098560676.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/251466i7E4FADCCD7345200/image-size/medium?v=v2&amp;px=400" role="button" title="ClayKoldenRTC_0-1757098560676.png" alt="ClayKoldenRTC_0-1757098560676.png" /></span></P><P>&nbsp;</P> Fri, 05 Sep 2025 18:56:28 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327607#M1122592 Clay Kolden - RTC 2025-09-05T18:56:28Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327612#M1122593 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1916377">@Clay Kolden - RTC</a>,</P> <P>you need to enter global config mode for these commands.</P> <P>As you can see at my previous post the prompt looks like 'Sw01(config)#'.</P> <P>In order to get there you need the command 'configure terminal', the prompt will change to 'INSIDE-9300(Config)#' and then you can enter the commands I mentioned before.</P> <P>when you are done, you leave the global config mode with the command 'exit' and then save the configuration with the command 'copy running-config startup-config'.</P> <P>HTH!</P> Fri, 05 Sep 2025 19:13:10 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327612#M1122593 Jens Albrecht 2025-09-05T19:13:10Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327616#M1122594 <P>Sorry I missed you not enter config mode.</P> <P>MHM</P> Fri, 05 Sep 2025 19:48:01 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327616#M1122594 MHM Cisco World 2025-09-05T19:48:01Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327654#M1122609 <P>Ah, I see now. Thank you so much for your help!</P> Fri, 05 Sep 2025 20:51:10 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327654#M1122609 Clay Kolden - RTC 2025-09-05T20:51:10Z https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327661#M1122612 <P>You're welcome! We are here to help.</P> Fri, 05 Sep 2025 21:02:00 GMT https://community.cisco.com/t5/network-security/disable-ssh-algorithms-on-cisco-switches/m-p/5327661#M1122612 Jens Albrecht 2025-09-05T21:02:00Z