Solved: How to disable DH-14 group1 and SHA-1 from Cisco ISE sshd service?

adamscottmaster2013 · ‎02-28-2023

When I ssh into my Cisco ISE 3.1 patch-5 appliance from my Ubuntu server 22.0.4-5 LTS, I get this:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com

I would like to disable these weak security settings from the Cisco ISE because security folks require us to do so. I can do this easily on Linux server by modifying the /etc/ssh/sshd_config but since the Cisco ISE is a black box, how do I go about doing it?

CiscoISE/admin(config)# service sshd ?
enable Enable sshd service
encryption-algorithm Configure SSH encryption algorithms. supported algorithms are a
encryption-mode Configure SSH encryption mode on system. Supported modes are cb
key-exchange-algorithm Specify allowable key exchange algorithms for sshd service
loglevel Log level of messages from sshd to secure system log

CiscoISE/admin(config)# service sshd

Any ideas?

adamscottmaster2013 · ‎09-01-2023

Not possible with Cisco ISE: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq64821

View solution in original post

Greg Gibbs · ‎02-28-2023

You can configure the sshd service to restrict the key exchange algorithm to the following options:

ise31-1/admin(config)# service sshd key-exchange-algorithm ?
diffie-hellman-group14-sha1 Restrict key exchange algorithm to diffie-hellman-group14-sha1
ecdh-sha2-nistp256 Restrict key exchange algorithm to ecdh-sha2-nistp256
ecdh-sha2-nistp384 Restrict key exchange algorithm to ecdh-sha2-nistp384
ecdh-sha2-nistp521 Restrict key exchange algorithm to ecdh-sha2-nistp521

There is an enhancement bug filed to support diffie-hellman-group-exchange-sha256, but this has not been applied to any currently shipping version of ISE at this time.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa33476

adamscottmaster2013 · ‎09-01-2023

@Greg Gibbs: This is what I currently have on the ISE 3.2 patch-2:

service sshd enable
service sshd encryption-algorithm aes256-ctr aes256-gcm-openssh.com
service sshd key-exchange-algorithm ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
service sshd loglevel 4

However, whenever I ssh to the ISE from my ubuntu box with the verbose options, ssh -vvv admin@cisco_ise_ip, I see this:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com

seems like hmac-sha1 is still there and it is confirmed by Qualys scan. How do I go about getting rid of that?

adamscottmaster2013 · ‎09-01-2023

Not possible with Cisco ISE: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq64821