cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4791
Views
7
Helpful
5
Replies

apic ssh stronger ciphers

Hello. Hope you are all doing fine.

 

Do you know how to change the ssh ciphers for the apic/leafs/spines connections to be stronger using ctr ciphers instead of cbt?

I can´t acces the devices using ssh if I dont have an older Secure CRT version.

 

If I try to connect from another switch for example, i get this error:

No matching ciphers found. Client (10.x.x.x) supported ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se .Server supported ciphers : aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com

 

So what is asking is to use ctr in order to be able to connect from the switch.... the same from secure.
I know I can enable weaker ciphers on switches but I would like to improve to ctr.

1 Accepted Solution

Accepted Solutions

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @Fernando Hernández 

It looks like the CRT is the default one enabled, at least in the version I am running (4.2.5k):

Screenshot 2021-01-22 091520.png

You can find the settings at Fabric -> Fabric Policies -> Policies -> Pod -> Management Access -> Default

Also, these are the other available cipher options:

Screenshot 2021-01-22 091643.png

 

Stay safe,

Sergiu

 

View solution in original post

5 Replies 5

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @Fernando Hernández 

It looks like the CRT is the default one enabled, at least in the version I am running (4.2.5k):

Screenshot 2021-01-22 091520.png

You can find the settings at Fabric -> Fabric Policies -> Policies -> Pod -> Management Access -> Default

Also, these are the other available cipher options:

Screenshot 2021-01-22 091643.png

 

Stay safe,

Sergiu

 

Hey thank you so much for letting me know where to find those values.

 

It is really weird cause I have the same version as you and yeah, they are ctr. I just dont understand why when I try to connect from another switch it shows that the apic has cbt.

No matching ciphers found. Client (10.x.x.x) supported ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se .Server supported ciphers : aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com

 

10.x.x.x on the message is the APIC IP.
Just to confirm..... ctr is stronger than cbt right?

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @Fernando Hernández 

I think there is a confusion here. 

This is the error you receive:

Client (10.x.x.x) supported ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

Server supported ciphers : aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com

 

The client is your application or device from where you try to open the ssh connection.

The server is the APIC.

In other words, APIC supports CTR and your client supports CBC.  CTR is more safer cipher compared with CBC. What you need to do is update the application to support CTR as well.

 

Stay safe,

Sergiu

 

Yeah, I thought so, but the log is little bit confusing showing the APIC IP next to the word client.

 

That is definitely strange. Definitely a good self-suggestion from the switch side to upgrade ^_^

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License