05-08-2017 11:32 AM - edited 03-11-2019 12:42 AM
Hi All,
On my ASAs (5545 - version 9.5(2)), i am trying to move from the compatible version and forcing it to only version 2. Is there something that i need to take care of while doing this so that i don't get locked out? Do i need to re-generate the ssh keys once i do this?
I do not have console access to these ASAs, so i want to make sure that i do this right. Please can someone advise?
Here's the output for ssh on my firewall:
sh ssh
Timeout: 60 minutes
Versions allowed: 1 and 2
sh run aaa
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
Thanks!
05-08-2017 12:26 PM
Make sure you have following
-3DES-AES license is enabled
-Make sure SSH keys are above 768 if not re-generate.
-command to enable ssh V2 is below "ssh version 2"
-SSH client should support V2
you can also perform these changes from ASDM by going to Configuration>Device Management>Management access>ASDM/HTTPS/Telnet/SSH -- change allowed version to 2 only
Ashish
05-08-2017 03:04 PM
Thanks Ashish. 3DES-AWS is enabled, but how do i check if the ssh keys are above 768? Also what does that exactly mean?
And yes ssh version 2 is supported.
05-08-2017 03:52 PM
Ignore it, I just tested ssh v 2 with 512 key length and it works fine..
So all you need is
3des license
ssh version 2
client which supports ssh version 2
05-08-2017 04:47 PM
For security 2048 is recommended.
05-08-2017 11:43 PM
Here is a guide for enabling SSH:
https://supportforums.cisco.com/document/12338141/guide-better-ssh-security
05-09-2017 04:38 PM
Thanks Karsten. I did take a look at this document when i was googling for answers before putting this question up over here. It's really good! I was however wondering in my case, how do i go about check to see how i can go about looking at the length of the RSA keys i have an more importantly if i would have to renegotiate the keys is force to SSH version 2 from the compatible mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide