01-14-2017 11:59 AM
Hello Everyone,
Please I need your experiance and suggested resources on the ssh related message I am getting from my security team network scan. Their report indicates that one of my switch accept ssh ver 1 connection. when I receive this report I have enabled ssh ver 2 and used the show command to verify. The ssh is correctly set to ver 2. I believe if ver 2 is enabled it automatically disables ssh ver 1 and the report is false positive. However I want to see if any one encountred such issue. My questions are
1. is it possible a switch still allow ssh ver 1 connection while it s configured to use ver 2 ?
2. if so how can we ensure to prevent such connections ?
I thank you in advance for your contribution.
Solved! Go to Solution.
01-16-2017 05:50 PM
I never say anything is "not possible". Reference the Snowden revelations.
However if one has done due diligence and secured the management and control planes of a device according to vendor and industry best practices, that generally suffices for protection against all threats short of a hostile insider with privilged access or a state-sponsored intelligence service. If either of those is your threat landscape then no amount of configuration will suffice.
01-16-2017 02:32 AM
once your switch shows Is enabled for SSHv2 your section is correct , make sure it does not say 1.99 or that will allow previous versions
another thing is lock down what users are using to access the device , we only allow putty , in putty you can specify they can only initiate a v2 sessions , you can prevent from there too to stop anyone trying to use v1
xxxx#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
01-16-2017 04:39 AM
I believe it's a false positive. They may be keying on algorithms used vs the ssh version. You should be able to verify independently by setting your ssh client to use v1 only and attempting to login.
On my ASA running 9.6(2) with "ip ssh version 2" set, it would not allow me to login using ssh1. I got the same results on two different switch type - a 3650 runnning IOS-XE 03.06.03 and an older 3560 running IOS 12.2(55)SE8.
I also recommend giving Karsten's informative document a read:
https://supportforums.cisco.com/document/12338141/guide-better-ssh-security
01-16-2017 04:45 PM
Marvin,
I thank you for the suggestion and link provided. I will definitely verify by using ver 1 and post my result.
would it be possible for an attacker to bypass our configuration to use ver 2 and use ssh 1 since the the ciphers are available inside the iOS ?
01-16-2017 05:50 PM
I never say anything is "not possible". Reference the Snowden revelations.
However if one has done due diligence and secured the management and control planes of a device according to vendor and industry best practices, that generally suffices for protection against all threats short of a hostile insider with privilged access or a state-sponsored intelligence service. If either of those is your threat landscape then no amount of configuration will suffice.
01-16-2017 05:50 PM
Practically I agree 100 % and I am just trying to figure out how scanner possbliy detected such vulnerablity even though it could be false positive. I will share my result 2rw after testing it with ver 1.
01-30-2017 05:27 PM
I have verified the report about ssh ver 1 is false posetive. I have used ssh ver 1 connection and my switch replied with a putty fatal error saying " SSH protocol version 1 required by configuration but not provided by server."
on top of this I have checked the recently applied firmware disables the weak ciphers on the switch.
01-30-2017 06:52 PM
Thanks for the follow up with your results. That helps people searching for similar information in the future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide