06-30-2014 09:33 AM - edited 03-10-2019 09:50 PM
Our network security testers have identified a vulnerability in our ACS 5.5 system. SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.This algorithms is assumed to be weak by the testers. How can we set the ACS to only use more secure SSH connections?
The SSH command in the CLI doesn't appear to give encryption options.
Thanks.
06-30-2014 01:39 PM
First of all, how do you determine that the ACS server is accepting MD5 and 96-bits MAC algorithms?
I tested on the ACS 5.4 patch 6 and I am not seeing anything for MD5:
CentOS-linux>ssh -m hmac-sha1 -l admin 192.168.1.55
Copyright (c) 2012 Cisco Systems, Inc. All rights Reserved
Password:
Last login: Mon Jun 30 20:30:47 2014 from 150.123.148.239
Copyright (c) 2012 Cisco Systems, Inc. All rights Reserved
acs1/admin# exit
Connection to 192.168.1.55 closed.
CentOS-linux>ssh -m hmac-md5 -l admin 192.168.1.55
no matching mac found: client hmac-md5 server hmac-sha1
CentOS-linux>
Where did you that information from, some system scanners?
08-06-2014 03:46 AM
Hi, I ran a variation of cciesec2011's command with 8 hmac variations, the results indicate that all of the encryption levels can be used.
echo | ssh -v -m hmac-sha1 admin@localhost 2>&1 | grep "kex"
I substituted -sha1 for md5 , ripemd160, sha1-96 , md5-96, sha2-256 , sha2-512 and umac-64@openssh.com
We are still trying to found out how to disable specific low encryption levels within the ACS GUI or command line.
05-26-2016 08:15 AM
Did you find a solution to this? I am trying to find out how to do this as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide