Cisco IOS - what IOS to support any of following hash algorithms?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2015 12:00 PM
Hi,
We have a need to ssh from a Cisco 3925 to a device which only supports the following hash algorithms:
hmac-sha2-512 or hmac-sha2-512-96
hmac-sha2-256 or hmac-sha2-256-96
hmac-ripemd160
Can anyone advise on an IOS version where the SSH client supports any of the above?
Every IOS version we have tried gives us 'no matching cipher' when ssh'ing to the server.
Thanks in advance.
- Labels:
-
Network Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2015 08:24 AM
UPDATE - sorry I may be mistaken. I just tested in my lab and, as far as I can tell, my 3925E router doesn't support SHA256 MAC for ssh (either as client or server).
This is shown even in the latest command reference (for IOS through 15.5(2)).
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s6.html#wp3333084566
Check your RSA key. It may have been generated with a short (1024-bit) key length. Also check that your client software is both capable of and set to negotiate using the stronger algorithms.
Generally most modern router IOS (i.e 15.2 or later) can be configured to support strong hash algorithms (assuming you have the Universal crypto image loaded).
See the release notes here:
http://www.cisco.com/c/en/us/td/docs/ios/15_2m_and_t/release/notes/15_2m_and_t/152-4MNEWF.html#pgfId-83129
...and the configuration guide here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-deploy-rsa-pki.html#GUID-CADC5B64-EAD4-4D41-B852-DA8FE9B078AE
