Solved: Changing cipher for ssh access

Leftz · ‎06-24-2022

Hi We have cisco switch. In order to access these switch (it may be old switch or old CRT) via ssh, some cipher need to change. Can we change these cipher via the command below to add or delete any of there cipher? the command is like below. I tried to delete one, but it looks like it cannot be deleted. Thank you

ip ssh client algorithm encryption aes128-ctr

SW(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes256-ctr,aes192-ctr,aes128-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-3371933816
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCaV9Z7R/PmZXvzdAvyNIZOvQj+VlV8TImtS193NMErCucOK
3G1JIEfnJH7U2XfuS67ld0TrpW2HRJJasdfnP5USoPp0iE0AFkeraea7d8Shx3xID2z9QuyWdfh5YLq9zBBgndLv
QZ4lO6e3uzNmMW4ZaIGVQfFI3AaSo8bnA1K7ZERH3VuYK68A2n/3a014Z+gVuW8xlpumtSvhTxSpOhPu

Rob Ingram · ‎06-27-2022

@Leftz to change the cipher just specify exactly what ciphers you want to use. Example if you just want AES256 CTR:

show run | inc ssh
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr

Specify the cipher you want to use, this removes the other ciphers.

ip ssh server algorithm encryption aes256-ctr
show run | inc ssh
ip ssh server algorithm encryption aes256-ctr

You should definately remove 3DES it insecure, you may also want to removed AES CBC. Obviously you should test and ensure connectivity remains, before rolling this out to the rest of the network.

View solution in original post

MHM Cisco World · ‎06-24-2022

as I know NO command not work you need to return to default via the below command.
default ip ssh client algorithm encryption

Leftz · ‎06-24-2022

@MHM Cisco World Thank you very much for your reply. I default it with the command mentioned above. After deleting aes128-ctr, it still exists. Please see the below.

SW(config)#do sh ip ssh | i ctr
Encryption Algorithms:aes256-ctr,aes192-ctr,aes128-ctr
SW(config)#
SW(config)#no ip ssh client algorithm encryption aes128-ctr
SW(config)#
SW(config)#do sh ip ssh | i ctr
Encryption Algorithms:aes256-ctr,aes192-ctr,aes128-ctr
SW(config)#

MHM Cisco World · ‎06-24-2022

there are many encrypt cipher and the both client and server exchange cipher proposal and accept one.

Leftz · ‎06-24-2022

Why below command does not work to delete aes128-ctr?

no ip ssh client algorithm encryption aes128-ctr

MHM Cisco World · ‎06-24-2022

that hard to answer, from cisco command reference the NO command is available, and default optional is not suitable for you, so can you try

change the order of cipher from

aes256-ctr,aes192-ctr,aes128-ctr
to be

aes128-ctr,aes256-ctr,aes192-ctr

then try delete it with

no ip ssh client algorithm encryption aes128-ctr

MHM Cisco World · ‎06-27-2022

do you try change the order of cipher and then delete the first one??

balaji.bandi · ‎06-24-2022

what switch model is this ? and what IOS code running on the switch.

@MHM Cisco World suggested with no command should work, if not please refer security best practices:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎06-27-2022

@balaji.bandi Thanks for your reply. its good cisco documents.

The switch mentioned above is new 9300. We just want to test some cipher command on it. The reason is because we have a old switch 3850 with 03.06.06E, which needs to upgrade cipher or upgrade ios due to security vulnerability. I tested command "no ip ssh client algorithm encryption aes128-ctr", it looks like these cipher cannot be changed at the new switch. Maybe we can only add some ciphers.

According to cisco documents mentioned above, my understanding is there are three group ciphers, during ssh process, server and client have to have at least one same cipher in each of the three cipher group. If so, we can add newer cipher to ssh server(old switch), while in client side(securityCRT), we need to keep it new version. Its great if you correct me when you find some wrong. Below is three group of cipher. Can we say it like this? thanks

Cisco IOS SSH Server Algorithms
Cisco IOS secure shell (SSH) servers support the encryption algorithms (Advanced Encryption Standard Counter Mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:
aes128-ctr
aes192-ctr
aes256-ctr
aes128-cbc
3des-cbc
aes192-cbc
aes256-cbc
Cisco IOS SSH servers support the Message Authentication Code (MAC) algorithms in the following order:
hmac-sha1
hmac-sha1-96
Cisco IOS SSH servers support the host key algorithms in the following order:
x509v3-ssh-rsa
ssh-rsa

Rob Ingram · ‎06-27-2022

@Leftz to change the cipher just specify exactly what ciphers you want to use. Example if you just want AES256 CTR:

show run | inc ssh
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr

Specify the cipher you want to use, this removes the other ciphers.

ip ssh server algorithm encryption aes256-ctr
show run | inc ssh
ip ssh server algorithm encryption aes256-ctr

You should definately remove 3DES it insecure, you may also want to removed AES CBC. Obviously you should test and ensure connectivity remains, before rolling this out to the rest of the network.

Leftz · ‎06-27-2022

@Rob Ingram Great! it works at new switch

but at the old switch, it show it like this:

3850#sh run | i ssh
ip ssh time-out 90
ip ssh version 2
transport input ssh
transport input ssh

It does not show cipher. The question is what cipher is the one we want to specify exactly for that old switch? this might be based on secureCRT version or what cipher CRT would use or have, right?

balaji.bandi · ‎06-27-2022

t does not show cipher. The question is what cipher is the one we want to specify exactly for that old switch? this might be based on secureCRT version or what cipher CRT would use or have, right?

question here is what securre CRT version, new version of Secure CRT support all with backword compatability. since Cat 9300 new model so this has more secure cipher suites.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help