Solved: disable ssh ver1

mestasew1 · ‎01-14-2017

Hello Everyone,

Please I need your experiance and suggested resources on the ssh related message I am getting from my security team network scan. Their report indicates that one of my switch accept ssh ver 1 connection. when I receive this report I have enabled ssh ver 2 and used the show command to verify. The ssh is correctly set to ver 2. I believe if ver 2 is enabled it automatically disables ssh ver 1 and the report is false positive. However I want to see if any one encountred such issue. My questions are

1. is it possible a switch still allow ssh ver 1 connection while it s configured to use ver 2 ?

2. if so how can we ensure to prevent such connections ?

I thank you in advance for your contribution.

Marvin Rhoads · ‎01-16-2017

I never say anything is "not possible". Reference the Snowden revelations.

However if one has done due diligence and secured the management and control planes of a device according to vendor and industry best practices, that generally suffices for protection against all threats short of a hostile insider with privilged access or a state-sponsored intelligence service. If either of those is your threat landscape then no amount of configuration will suffice.

View solution in original post

Mark Malone · ‎01-16-2017

once your switch shows Is enabled for SSHv2 your section is correct , make sure it does not say 1.99 or that will allow previous versions

another thing is lock down what users are using to access the device , we only allow putty , in putty you can specify they can only initiate a v2 sessions , you can prevent from there too to stop anyone trying to use v1

xxxx#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa

Marvin Rhoads · ‎01-16-2017

I believe it's a false positive. They may be keying on algorithms used vs the ssh version. You should be able to verify independently by setting your ssh client to use v1 only and attempting to login.

On my ASA running 9.6(2) with "ip ssh version 2" set, it would not allow me to login using ssh1. I got the same results on two different switch type - a 3650 runnning IOS-XE 03.06.03 and an older 3560 running IOS 12.2(55)SE8.

I also recommend giving Karsten's informative document a read:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

mestasew1 · ‎01-16-2017

Marvin,

I thank you for the suggestion and link provided. I will definitely verify by using ver 1 and post my result.

would it be possible for an attacker to bypass our configuration to use ver 2 and use ssh 1 since the the ciphers are available inside the iOS ?

Marvin Rhoads · ‎01-16-2017

I never say anything is "not possible". Reference the Snowden revelations.

However if one has done due diligence and secured the management and control planes of a device according to vendor and industry best practices, that generally suffices for protection against all threats short of a hostile insider with privilged access or a state-sponsored intelligence service. If either of those is your threat landscape then no amount of configuration will suffice.

mestasew1 · ‎01-16-2017

Practically I agree 100 % and I am just trying to figure out how scanner possbliy detected such vulnerablity even though it could be false positive. I will share my result 2rw after testing it with ver 1.

mestasew1 · ‎01-30-2017

I have verified the report about ssh ver 1 is false posetive. I have used ssh ver 1 connection and my switch replied with a putty fatal error saying " SSH protocol version 1 required by configuration but not provided by server."

on top of this I have checked the recently applied firmware disables the weak ciphers on the switch.

Marvin Rhoads · ‎01-30-2017

Thanks for the follow up with your results. That helps people searching for similar information in the future.