topic SSH Algorithm in Network Security

SSH Algorithm

sameermunj — Fri, 21 Feb 2020 13:04:48 GMT

Hello

Our internal network security team has idntified Vulnerability regarding the SSH server within the catalyst switches.As per the Vulnerability team SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.These Algorithms are assumed to be weak by

Vulnerability team

Is there any way by which we can change the alogorithms used between SSH server (switch) and client...From the CLI can we change the alogorithm used in this communication.

Kindly suggest.

SSH Algorithm

Collin Clark — Mon, 06 Jan 2014 15:49:38 GMT

Have you enabled SSHv2?

SSH Algorithm

sameermunj — Mon, 06 Jan 2014 16:43:10 GMT

Hello

Ssh is already enabled and is working..this is the vulnerability found by security team during their assessment.just wanted to understand weather the option is available from CLI to configure /change auth algorithms used between Client-server ssh communication.

SSH Algorithm

Collin Clark — Mon, 06 Jan 2014 16:45:12 GMT

Have you enabled SSHv2 or are you running version 1?

SSH Algorithm

sameermunj — Mon, 06 Jan 2014 16:47:49 GMT

SSH-V2 already enabled and working.

Re: SSH Algorithm

Collin Clark — Mon, 06 Jan 2014 16:59:09 GMT

You will need to change the algorithm in your SSH client. There is no way to do it on the server side.

You can view the encrpytion with show ssh when you're connected.

Hope it helps.

Re: SSH Algorithm

sameermunj — Mon, 06 Jan 2014 17:35:37 GMT

Hello

so i need to change the algorithms in my SSH client like the Putty client i used for initiating ssh connection..

the output of show ssh is mentioned below

OLD-1F-192.8#show ssh

%No SSHv1 server connections running.

Connection Version Mode Encryption Hmac State Username

0 2.0 IN aes256-cbc hmac-sha1 Session started a548464

0 2.0 OUT aes256-cbc hmac-sha1 Session started a548464

so here the Hmac state(hmac-sha1) defined is one supported by the switch right?

vulnerability team has concern about hmac-md5 &hmac-md5-96 wherein hmac-sha1 is ok for them..

please confirm..

Re: SSH Algorithm

Collin Clark — Mon, 06 Jan 2014 17:40:34 GMT

Yes the current connections are using SHA1. Correct you would change it Putty if that is what you use. I use SecureCRT and here's a screenshot of how I can set what encryption to use.

SSH Algorithm

sameermunj — Mon, 06 Jan 2014 17:47:19 GMT

Hello

last query is

so the output of show ssh is showing the MAC used from the SSH clinet and this output will change depending on the ssh client configuration and this has nothing to do with SSH server configuration which is the catalayst switch and no way we can change the encrption/auth algorithms to be used by SSH server ( catalyst switch)..

Many Thanks for your help.

SSH Algorithm

Collin Clark — Mon, 06 Jan 2014 18:08:15 GMT

That is correct.

Re: SSH Algorithm

Robert Burlingame — Wed, 03 Mar 2021 17:40:49 GMT

All due respect, I don't think this statement is accurate (Hopefully, I didn't misunderstand the issue.):
"You will need to change the algorithm in your SSH client. There is no way to do it on the server side."

If I look at the ssh server MAC algorithms, I can see hmac-sha1-96 enabled:

LAB1-F3-DL1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96

I can restrict those methods with this command:

LAB1-F3-DL1(config)#ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512

LAB1-F3-DL1(config)#
LAB1-F3-DL1(config)#end
LAB1-F3-DL1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512