cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2257
Views
0
Helpful
1
Replies

deprecated SSH Cryptographic Settings

Brandon Matthee
Level 1
Level 1

Good Day

 

During our internal scan of the Cisco APIC, we have identified the existing APIC is running deprecated SSH Cryptographic Settings. I checked the existing management profile for the APIC and there is no option to disable deprecated SSH settings. I suspect the APIC could be impacted with the bug CSCvw85218 (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw85218?rfs=iqvred )

 

Is there a  procedure to remove the deprecated SSH settings from the management profile ?

 

APIC details

 

Software Version - 4.2(6l)

 



Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-11 08:15 GMT

Nmap scan report for x.x.x.x

Host is up (0.25s latency).

PORT STATE SERVICE

22/tcp open ssh

| ssh2-enum-algos:

| kex_algorithms (8)

| diffie-hellman-group1-sha1

| diffie-hellman-group14-sha1

| diffie-hellman-group-exchange-sha1

| curve25519-sha256@libssh.org

| ecdh-sha2-nistp521

| ecdh-sha2-nistp384

| ecdh-sha2-nistp256

| curve25519-sha256

| server_host_key_algorithms (1)

| ssh-rsa

| encryption_algorithms (2)

| aes256-ctr

| chacha20-poly1305@openssh.com

| mac_algorithms (1)

| hmac-sha2-512

| compression_algorithms (2)

| none

|_ zlib@openssh.com



Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds

1 Reply 1

Robert Burns
Cisco Employee
Cisco Employee

The best way to resolve this issue would be to upgrade to a patched version of APIC which exposes the ability to select which KEX algorithms are allowed.  This would be versions 4.2(7f) or later, or 5.2(1g) or later. 

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License