Hi Please see the below. Command cannot be entered in C2900 switch. Is this switch not be supported or something else?
A01(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
Solved! Go to Solution.
@zshowip this guide implies thats SSH ciphers is not configurable https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg.pdf those commands would certainly work on newer IOS-XE images.
@Rob Ingram Thank you for your reply.
We have the below info. Is it possible to remediate the issue without upgrading ios? thanks
Deprecated SSH Cryptographic Settings port 22/tcp
General remote services
The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another.
The target is using deprecated SSH cryptographic settings to communicate.
A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.
Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) .
Settings currently considered deprecated:
Ciphers using CFB of OFB
Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM
RC4 cipher (arcfour, arcfour128, arcfour256)
The RC4 cipher has a cryptographic bias and is no longer considered secure
Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)
Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)
Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)
DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks
Key exchange algorithm "rsa1024sha1"
Very uncommon, and deprecated because of the short RSA key size
MAC algorithm "umac-32"
Very uncommon, and deprecated because of the very short MAC length
This is available only in SSHv1
There is no exploitability information for this vulnerability.
There is no malware information for this vulnerability.
key exchange diffie-hellman-group1-sha1