Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
10
Helpful
6
Replies

Moving to SSH version 2 from compatible mode - Do i need to re-generate keys?

ramesh.8901
Level 1
Level 1

‎05-08-2017 11:32 AM - edited ‎03-11-2019 12:42 AM

Hi All,

On my ASAs (5545 - version 9.5(2)), i am trying to move from the compatible version and forcing it to only version 2. Is there something that i need to take care of while doing this so that i don't get locked out? Do i need to re-generate the ssh keys once i do this?

I do not have console access to these ASAs, so i want to make sure that i do this right. Please can someone advise?

Here's the output for ssh on my firewall:

sh ssh
Timeout: 60 minutes
Versions allowed: 1 and 2

sh run aaa
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL

Thanks!

Labels:
0 Helpful
6 Replies 6

Ashish Jhaldiyal
Level 1
Level 1

‎05-08-2017 12:26 PM

Make sure you have following

-3DES-AES license is enabled 

-Make sure SSH keys are above 768 if not re-generate.

-command to enable ssh V2 is below "ssh version 2"

-SSH client should support V2

you can also perform these changes from ASDM by going to Configuration>Device Management>Management access>ASDM/HTTPS/Telnet/SSH -- change allowed version to 2 only

Ashish

ramesh.8901
Level 1
Level 1
In response to Ashish Jhaldiyal

‎05-08-2017 03:04 PM

Thanks Ashish. 3DES-AWS is enabled, but how do i check if the ssh keys are above 768? Also what does that exactly mean?

And yes ssh version 2 is supported.

0 Helpful

Ashish Jhaldiyal
Level 1
Level 1
In response to ramesh.8901

‎05-08-2017 03:52 PM

Ignore it, I just tested ssh v 2 with 512 key length and it works fine..

So all you need is

3des license

ssh version 2

client which supports ssh version 2

0 Helpful

Ashish Jhaldiyal
Level 1
Level 1
In response to Ashish Jhaldiyal

‎05-08-2017 04:47 PM

For security 2048 is recommended.

0 Helpful

Karsten Iwen
VIP
VIP

‎05-08-2017 11:43 PM

Here is a guide for enabling SSH:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

ramesh.8901
Level 1
Level 1
In response to Karsten Iwen

‎05-09-2017 04:38 PM

Thanks Karsten. I did take a look at this document when i was googling for answers before putting this question up over here.  It's really good! I was however wondering in my case, how do i go about check to see how i can go about looking at the length of the RSA keys i have an more importantly if i would have to renegotiate the keys is force to SSH version 2 from the compatible mode.

0 Helpful
Customers Also Viewed These Support Documents