Need Guidance on SSH Cipher Suite Commands

Ravi D · ‎05-04-2023

Hello,

In recent vulnerabilities related to SSH Cipher suites, Cisco recommended to update the Encryption & MAC Algorithms. I want to know the impact when i issue the below commands on ASR 1002-X Routers.

Command to add the Encryption Algorithms

ip ssh server algorithm encryption aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr

Command to Remove the Encryption Algorithms

no ip ssh server algorithm encryption aes256-cbc,aes192-cbc,aes128-cbc

Command to remove ancient MAC Algorithm

no ip ssh server algorithm mac hmac-sha1

Command to update KEX Algorithm

ip ssh server algorithm kex ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

As i am applying on the production routers, i want to know the impact caused due to this changes.

Thanks

Ravi

M02@rt37 · ‎05-04-2023

Hello @Ravi D,

By adding additional encryption algorithms to the SSH server, you can improve the security of SSH sessions. However, using stronger encryption algorithms may increase CPU and memory usage on the router, which could impact the overall performance of the device, especially during periods of high traffic.

Removing weaker encryption algorithms can improve the security of SSH sessions. However, if any clients are using the removed algorithms, they will no longer be able to connect to the SSH server. Before making this change, ensure that all SSH clients support the remaining encryption algorithms.

Removing HMAC-SHA1 can improve security by preventing attackers from exploiting known vulnerabilities in this algorithm. However, if any SSH clients rely on HMAC-SHA1, they will no longer be able to connect to the SSH server. Again, make sure all SSH clients support the remaining MAC algorithms before making this change.

Updating the key exchange algorithm can improve security by replacing weaker algorithms with stronger ones. However, some older SSH clients may not support the new KEX algorithms, which could prevent them from connecting to the SSH server.

It's essential to thoroughly test these changes in a non-production environment to ensure they work as intended and do not cause any issues.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Ravi D · ‎05-04-2023

Do we have any command in specific to check the SSH Client sessions connected or Live on a Cisco ASR 1002X ?

We are changing this parameters on our Disaster Recovery site Routers which should not have any live traffic.

Will there be any kind of Reboot or any outages expected due to this changes apart from the CPU & memory usage ?

M02@rt37 · ‎05-05-2023

Hello @Ravi D,

Yes, you can use the "show ssh sessions" command to display information about the currently active SSH sessions. This command will show you the source IP address, username, and session ID of each active session.

As for your second question, changing the SSH cipher suite parameters should not cause any reboots or outages on the router. However, as you mentioned, it may cause increased CPU and memory usage during the change process. It's always a good idea to schedule such changes during a maintenance window to minimize any potential impact on network operations.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Ravi D · ‎05-05-2023

Thank you for all the information.

Command on ASR 1002-X Router was show ssh.

Yes definitely will perform this changes in Maintenance Window.