02-28-2023 11:44 AM
When I ssh into my Cisco ISE 3.1 patch-5 appliance from my Ubuntu server 22.0.4-5 LTS, I get this:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
I would like to disable these weak security settings from the Cisco ISE because security folks require us to do so. I can do this easily on Linux server by modifying the /etc/ssh/sshd_config but since the Cisco ISE is a black box, how do I go about doing it?
CiscoISE/admin(config)# service sshd ?
enable Enable sshd service
encryption-algorithm Configure SSH encryption algorithms. supported algorithms are a
encryption-mode Configure SSH encryption mode on system. Supported modes are cb
key-exchange-algorithm Specify allowable key exchange algorithms for sshd service
loglevel Log level of messages from sshd to secure system log
CiscoISE/admin(config)# service sshd
Any ideas?
Solved! Go to Solution.
09-01-2023 07:57 AM
02-28-2023 01:33 PM - edited 02-28-2023 01:33 PM
You can configure the sshd service to restrict the key exchange algorithm to the following options:
ise31-1/admin(config)# service sshd key-exchange-algorithm ?
diffie-hellman-group14-sha1 Restrict key exchange algorithm to diffie-hellman-group14-sha1
ecdh-sha2-nistp256 Restrict key exchange algorithm to ecdh-sha2-nistp256
ecdh-sha2-nistp384 Restrict key exchange algorithm to ecdh-sha2-nistp384
ecdh-sha2-nistp521 Restrict key exchange algorithm to ecdh-sha2-nistp521
There is an enhancement bug filed to support diffie-hellman-group-exchange-sha256, but this has not been applied to any currently shipping version of ISE at this time.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa33476
09-01-2023 06:30 AM
@Greg Gibbs: This is what I currently have on the ISE 3.2 patch-2:
service sshd enable
service sshd encryption-algorithm aes256-ctr aes256-gcm-openssh.com
service sshd key-exchange-algorithm ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
service sshd loglevel 4
However, whenever I ssh to the ISE from my ubuntu box with the verbose options, ssh -vvv admin@cisco_ise_ip, I see this:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
seems like hmac-sha1 is still there and it is confirmed by Qualys scan. How do I go about getting rid of that?
09-01-2023 07:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide