Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
3
Replies

Encryption Algorithms configuration on switch

noemifabbri
Level 1
Level 1

‎06-03-2024 09:18 AM

Hi everyone, 

One of our customer need to have configured some specific Encryption Algorithms on their switch  WS-C3750X-24 version 15.0(1)SE3. This is his current ip ssh;

sw-core-1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa ........

and to make it work with the server we need it needs to be like that; 

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-110641904
ssh-rsa ....

It is possible? How can i do it?

Thanks,

Noemi

Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎06-03-2024 10:26 AM

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-16/sec-usr-ssh-xe-16-book/sec-secure-shell-algorithm-ccc.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

noemifabbri
Level 1
Level 1

‎06-05-2024 12:21 AM

Hi, 

Yes i saw that guide but on this switch there isn't the command ip ssh server that we need to config the ssh algothitm;

sw-ced-3(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
precedence IP Precedence value for SSH traffic
pubkey-chain pubkey-chain
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be supported

I think we'll need to upgrade it.

0 Helpful

marce1000
VIP
VIP
In response to noemifabbri

‎06-05-2024 12:56 AM

 

 - You may try upgrading indeed , to disable weak ciphers you can  also try :
                        ip ssh dh min size 2048
   (e.g.)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents