cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6135
Views
1
Helpful
4
Replies

Cisco ISE SSH ciphers

umahar
Cisco Employee
Cisco Employee

Hi,

 

An infosec team is in the process of certifying ISE and is seeking clarification on the various parameters used in SSH.

 

Should use only below approved key exchanges.

KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

 

Use Only below approved MACs

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

 

Use only below Host Keys

HostKey ecdsa-sha2-nistp521-cert-v01@openssh.com

HostKey  ecdsa-sha2-nistp384-cert-v01@openssh.com

HostKey ecdsa-sha2-nistp256-cert-v01@openssh.com

HostKey ecdsa-sha2-nistp521

HostKey ecdsa-sha2-nistp384

HostKey ecdsa-sha2-nistp256

HostKey ssh-ed25519-cert-v01@openssh.com

 

Is there any documentation which talks about it ?

Appreciate if anyone can point me in that direction.

 

If not then should we just look at the Red Hat documentation to verify these parameters as it is the underlying OS.

However in the past we have had to seek TAC's help to enable strong ciphers via root patch.

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Recent ISE Releases have some options for SSH. See the configuration mode command service

ise-1/admin(config)# service sshd ?
  enable                  Enable sshd service
  encryption-algorithm    Configure SSH encryption algorithms. supported algorithms are a
  encryption-mode         Configure SSH encryption mode on system. Supported modes are cb
  key-exchange-algorithm  Specify allowable key exchange algorithms for sshd service
  loglevel                Log level of messages from sshd to secure system log

If you need additional options, please remember to ask TAC to file new bugs if no existing ones fit the bills.

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee

hslai
Cisco Employee
Cisco Employee

Recent ISE Releases have some options for SSH. See the configuration mode command service

ise-1/admin(config)# service sshd ?
  enable                  Enable sshd service
  encryption-algorithm    Configure SSH encryption algorithms. supported algorithms are a
  encryption-mode         Configure SSH encryption mode on system. Supported modes are cb
  key-exchange-algorithm  Specify allowable key exchange algorithms for sshd service
  loglevel                Log level of messages from sshd to secure system log

If you need additional options, please remember to ask TAC to file new bugs if no existing ones fit the bills.

umahar
Cisco Employee
Cisco Employee

Hi Hsing,

 

Which ISE version are you using ?

I am using 2.4 and not seeing the same output ?

ssh.png

I am running patch 8 on 2.4 and see the same as hsing