https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727199#M917296 <P><SPAN style="font-size: 12px;">Hi,</SPAN></P><P><SPAN style="font-size: 14px;">I've got a 2960-x running SSHv1.</SPAN></P><P><SPAN style="font-size: 14px;">1) I need to disable SSHv1 and only run V2. Will the line listed below run ONLY SSHv2 and disable V1?</SPAN></P><P><SPAN style="font-size: 14px;">2) I need a cisco document that says SSHv1 can&nbsp; be completely disabled and only V2 runs on a 2960x.</SPAN></P><P style="margin-left: 40px;"><SPAN style="font-size: 14px;">I know that I need to add the following line:</SPAN></P><P style="margin-left: 40px;"><SPAN style="font-size: 14px;">#IP SSH version 2</SPAN></P><P>&nbsp;</P><P><SPAN style="line-height: 115%; font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: &quot;Times New Roman&quot;; mso-bidi-theme-font: minor-bidi; mso-ansi-language: EN-CA; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"><FONT color="#000000">Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE </FONT></SPAN></P><P><SPAN style="font-size: 12px;">2960x-Switch#sho ip ssh</SPAN></P><P><SPAN style="font-size: 12px;">SSH Enabled - version 1.99</SPAN></P><P><SPAN style="font-size: 12px;">Authentication timeout: 120 secs; Authentication retries: 3</SPAN></P><P><SPAN style="font-size: 12px;">Minimum expected Diffie Hellman key size : 1024 bits</SPAN></P><P><SPAN style="font-size: 12px;">IOS Keys in SECSH format(ssh-rsa, base64 encoded):</SPAN></P><P><SPAN style="font-size: 12px;">Thanks!</SPAN></P><P><SPAN style="font-size: 12px;">Krista</SPAN></P><P>&nbsp;</P> Fri, 21 Feb 2020 13:33:32 GMT Krista Bowman 2020-02-21T13:33:32Z https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727199#M917296 <P><SPAN style="font-size: 12px;">Hi,</SPAN></P><P><SPAN style="font-size: 14px;">I've got a 2960-x running SSHv1.</SPAN></P><P><SPAN style="font-size: 14px;">1) I need to disable SSHv1 and only run V2. Will the line listed below run ONLY SSHv2 and disable V1?</SPAN></P><P><SPAN style="font-size: 14px;">2) I need a cisco document that says SSHv1 can&nbsp; be completely disabled and only V2 runs on a 2960x.</SPAN></P><P style="margin-left: 40px;"><SPAN style="font-size: 14px;">I know that I need to add the following line:</SPAN></P><P style="margin-left: 40px;"><SPAN style="font-size: 14px;">#IP SSH version 2</SPAN></P><P>&nbsp;</P><P><SPAN style="line-height: 115%; font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: &quot;Times New Roman&quot;; mso-bidi-theme-font: minor-bidi; mso-ansi-language: EN-CA; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"><FONT color="#000000">Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE </FONT></SPAN></P><P><SPAN style="font-size: 12px;">2960x-Switch#sho ip ssh</SPAN></P><P><SPAN style="font-size: 12px;">SSH Enabled - version 1.99</SPAN></P><P><SPAN style="font-size: 12px;">Authentication timeout: 120 secs; Authentication retries: 3</SPAN></P><P><SPAN style="font-size: 12px;">Minimum expected Diffie Hellman key size : 1024 bits</SPAN></P><P><SPAN style="font-size: 12px;">IOS Keys in SECSH format(ssh-rsa, base64 encoded):</SPAN></P><P><SPAN style="font-size: 12px;">Thanks!</SPAN></P><P><SPAN style="font-size: 12px;">Krista</SPAN></P><P>&nbsp;</P> Fri, 21 Feb 2020 13:33:32 GMT https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727199#M917296 Krista Bowman 2020-02-21T13:33:32Z https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727200#M917297 <P>hi when you see 1.99 it's still backward compatabile to 1 so yes use that command and run show ip ssh again you want to see 2 only , your keys are long enough for v2 theyneed to be at least 1024 for v2 to work</P> Tue, 18 Aug 2015 20:56:29 GMT https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727200#M917297 Mark Malone 2015-08-18T20:56:29Z https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727201#M917298 <P>Hi Mark,</P><P>Thanks very much. However, I still need a document that says that SSHv1 is Disabled from running by doing so for that switch model and/or IOS. That I have not been able to find.</P><P>Would you know where that might be?</P><P>Thank you,</P><P>Krista</P><P>&nbsp;</P> Fri, 21 Aug 2015 15:59:55 GMT https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727201#M917298 Krista Bowman 2015-08-21T15:59:55Z https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727202#M917299 <P>When you fully enable ssh version 2 it disables version 1 by default, as 1 cannot work with 2 as per the wiki doc , if you see 2 only in show ip ssh output 1 is not supported , that's the onloy diocs I have below its just know not to have 1 or 1.99 enabled and to specifically set 2 to disable 1</P><P><STRONG>SSH-2</STRONG>, was adopted as a standard. This version is incompatible with SSH-1. SSH-2 features both security and feature improvements over SSH-1. Better security, for example, comes through <A href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange" title="Diffie–Hellman key exchange"><U><FONT color="#0066cc">Diffie–Hellman key exchange</FONT></U></A> and strong <A href="https://en.wikipedia.org/wiki/Integrity" title="Integrity"><U><FONT color="#0066cc">integrity</FONT></U></A> checking via <A href="https://en.wikipedia.org/wiki/Message_authentication_code" title="Message authentication code"><U><FONT color="#0066cc">message authentication codes</FONT></U></A>. New features of SSH-2 include the ability to run any number of <A href="https://en.wikipedia.org/wiki/Unix_shell" title="Unix shell"><U><FONT color="#0066cc">shell</FONT></U></A> sessions over a single SSH connection.<SUP class="reference" id="cite_ref-19"><A href="https://en.wikipedia.org/wiki/Secure_Shell#cite_note-19"><U><FONT color="#0066cc" size="2">[19]</FONT></U></A></SUP> Due to SSH-2's superiority and popularity over SSH-1, some implementations such as <A href="https://en.wikipedia.org/wiki/Lsh" title="Lsh"><U><FONT color="#0066cc">Lsh</FONT></U></A><SUP class="reference" id="cite_ref-20"><A href="https://en.wikipedia.org/wiki/Secure_Shell#cite_note-20"><U><FONT color="#0066cc" size="2">[20]</FONT></U></A></SUP> and <A href="https://en.wikipedia.org/wiki/Dropbear_(software)" title="Dropbear (software)"><U><FONT color="#0066cc">Dropbear</FONT></U></A><SUP class="reference" id="cite_ref-21"><A href="https://en.wikipedia.org/wiki/Secure_Shell#cite_note-21"><U><FONT color="#0066cc" size="2">[21]</FONT></U></A></SUP> support only the SSH-2 protocol.</P><P>ip ssh version 2</P><P>CORE#sh ip ssh<BR />SSH Enabled - version 2.0<BR />Authentication timeout: 60 secs; Authentication retries: 2</P><P><A href="https://en.wikipedia.org/wiki/Secure_Shell">https://en.wikipedia.org/wiki/Secure_Shell</A></P><P><A href="http://www.cisco-faq.com/178/disable_ssh_v1_ssh_version_2.html">http://www.cisco-faq.com/178/disable_ssh_v1_ssh_version_2.html</A></P> Mon, 24 Aug 2015 08:03:45 GMT https://community.cisco.com/t5/network-security/disable-sshv1-2960/m-p/2727202#M917299 Mark Malone 2015-08-24T08:03:45Z