Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4630
Views
0
Helpful
4
Replies

Cisco ISE SSH ciphers

Go to solution
umahar
Cisco Employee
Cisco Employee

‎05-24-2019 01:23 PM - edited ‎05-24-2019 01:26 PM

Hi,

 

An infosec team is in the process of certifying ISE and is seeking clarification on the various parameters used in SSH.

 

Should use only below approved key exchanges.

KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

 

Use Only below approved MACs

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

 

Use only below Host Keys

HostKey ecdsa-sha2-nistp521-cert-v01@openssh.com

HostKey  ecdsa-sha2-nistp384-cert-v01@openssh.com

HostKey ecdsa-sha2-nistp256-cert-v01@openssh.com

HostKey ecdsa-sha2-nistp521

HostKey ecdsa-sha2-nistp384

HostKey ecdsa-sha2-nistp256

HostKey ssh-ed25519-cert-v01@openssh.com

 

Is there any documentation which talks about it ?

Appreciate if anyone can point me in that direction.

 

If not then should we just look at the Red Hat documentation to verify these parameters as it is the underlying OS.

However in the past we have had to seek TAC's help to enable strong ciphers via root patch.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-25-2019 12:29 PM

Recent ISE Releases have some options for SSH. See the configuration mode command service

ise-1/admin(config)# service sshd ?
  enable                  Enable sshd service
  encryption-algorithm    Configure SSH encryption algorithms. supported algorithms are a
  encryption-mode         Configure SSH encryption mode on system. Supported modes are cb
  key-exchange-algorithm  Specify allowable key exchange algorithms for sshd service
  loglevel                Log level of messages from sshd to secure system log

If you need additional options, please remember to ask TAC to file new bugs if no existing ones fit the bills.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-25-2019 04:49 AM

We have this but I think we need to dig deeper

https://community.cisco.com/t5/security-documents/ise-security-best-practices-hardening/ta-p/3640651
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-25-2019 12:29 PM

Recent ISE Releases have some options for SSH. See the configuration mode command service

ise-1/admin(config)# service sshd ?
  enable                  Enable sshd service
  encryption-algorithm    Configure SSH encryption algorithms. supported algorithms are a
  encryption-mode         Configure SSH encryption mode on system. Supported modes are cb
  key-exchange-algorithm  Specify allowable key exchange algorithms for sshd service
  loglevel                Log level of messages from sshd to secure system log

If you need additional options, please remember to ask TAC to file new bugs if no existing ones fit the bills.

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to hslai

‎05-28-2019 07:53 AM

Hi Hsing,

 

Which ISE version are you using ?

I am using 2.4 and not seeing the same output ?

ssh.png

Preview file
42 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to umahar

‎05-29-2019 12:21 PM

I am running patch 8 on 2.4 and see the same as hsing
0 Helpful
Customers Also Viewed These Support Documents