cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9841
Views
0
Helpful
2
Replies

Disabling weak cipher for SSH connection

Jay Tiwari
Cisco Employee
Cisco Employee

Hi Guys,

In customer VA/PT it is been found that ISE 2.3P4 is using weak cipher (aes-128-cbc & aes-256-cbc) for SSH and now Cisco is asked back to disable these cipher and enable aes-128-ctr and aes-256-ctr.

We tested in lab environment, it works with SecureCRT8.5.1, however, question is:

If i give this solution to customer, and in future any issue come and customer reaches to Cisco, will Cisco provide support in this case, as don't see this kind practice to change the things in root access?

 

Many Thanks,

 

Regards,

Jay

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

If it was changed using the regular CLI, using following command then it is supported. Following command is available with ISE 2.4p4:

ise/admin(config)# service sshd encryption-algorithm ?
  aes128-cbc  Configure aes128-cbc algo
  aes128-ctr  Configure aes128-ctr algo
  aes256-cbc  Configure aes256-cbc algo
  aes256-ctr  Configure aes256-ctr algo

View solution in original post

2 Replies 2

howon
Cisco Employee
Cisco Employee

If it was changed using the regular CLI, using following command then it is supported. Following command is available with ISE 2.4p4:

ise/admin(config)# service sshd encryption-algorithm ?
  aes128-cbc  Configure aes128-cbc algo
  aes128-ctr  Configure aes128-ctr algo
  aes256-cbc  Configure aes256-cbc algo
  aes256-ctr  Configure aes256-ctr algo

hslai
Cisco Employee
Cisco Employee

Adding to Hosuk's, CSCux88538 is resolved in ISE 2.4, ISE 2.3 Patch 3, 2.2.1 Patch 1, and 2.2 Patch 7 to provide such options:

 

myISE22/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
myISE22/admin(config)# service sshd ?
enable Enable sshd service
encryption-algorithm   Configure SSH encryption algorithms. supported algorithms are a
encryption-mode        Configure SSH encryption mode on system. Supported modes are cb
key-exchange-algorithm Specify allowable key exchange algorithms for sshd service
loglevel               Log level of messages from sshd to secure system log

 

myISE22/admin(config)# service sshd encryption-mode ?
cbc Configure cbc cipher suites (aes128-cbc and aes256-cbc)
ctr Configure ctr cipher suites (aes128-ctr and aes256-ctr)