Solved: Re: Cisco FTD Supported SSH Version

PeymanSarayeli22142 · ‎07-08-2021

Hi Guys.

I hope you are doing fine.

Our infrastructure is being audited by an auditor and they asked us to provide a proof which shows FTDs (We are using Cisco Firepower 2100 series) use SSH version 2.

I looked everywhere in order to find out about the SSH version which is using by FTD, but I did not find anything.

Could you please help in this matter? Any official documents or a command which show this feature would work.

Best Regards,

Peyman

Marvin Rhoads · ‎07-08-2021

It doesn't show up in the config but you can verify it via demonstration by capturing the session info of a connection. For instance, here's one from Putty connecting to FTD 6.6.4:

2021-07-08 11:59:09	We claim version: SSH-2.0-PuTTY_Release_0.70
2021-07-08 11:59:09	Server version: SSH-2.0-OpenSSH_7.5
2021-07-08 11:59:09	Using SSH protocol version 2
2021-07-08 11:59:09	Doing ECDH key exchange with curve Curve25519 and hash SHA-256
2021-07-08 11:59:10	Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
2021-07-08 11:59:10	Host key fingerprint is:
2021-07-08 11:59:10	ssh-ed25519 256 <redacted>
2021-07-08 11:59:10	Initialised AES-256 SDCTR client->server encryption
2021-07-08 11:59:10	Initialised HMAC-SHA-256 client->server MAC algorithm
2021-07-08 11:59:10	Initialised AES-256 SDCTR server->client encryption
2021-07-08 11:59:10	Initialised HMAC-SHA-256 server->client MAC algorithm
2021-07-08 11:59:12	Attempting keyboard-interactive authentication
2021-07-08 11:59:18	Access granted

You can also scan it using nmap to confirm:

nmap -sV -sC <target>

https://nmap.org/nsedoc/scripts/sshv1.html

View solution in original post

Marvin Rhoads · ‎07-08-2021

It doesn't show up in the config but you can verify it via demonstration by capturing the session info of a connection. For instance, here's one from Putty connecting to FTD 6.6.4:

2021-07-08 11:59:09	We claim version: SSH-2.0-PuTTY_Release_0.70
2021-07-08 11:59:09	Server version: SSH-2.0-OpenSSH_7.5
2021-07-08 11:59:09	Using SSH protocol version 2
2021-07-08 11:59:09	Doing ECDH key exchange with curve Curve25519 and hash SHA-256
2021-07-08 11:59:10	Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
2021-07-08 11:59:10	Host key fingerprint is:
2021-07-08 11:59:10	ssh-ed25519 256 <redacted>
2021-07-08 11:59:10	Initialised AES-256 SDCTR client->server encryption
2021-07-08 11:59:10	Initialised HMAC-SHA-256 client->server MAC algorithm
2021-07-08 11:59:10	Initialised AES-256 SDCTR server->client encryption
2021-07-08 11:59:10	Initialised HMAC-SHA-256 server->client MAC algorithm
2021-07-08 11:59:12	Attempting keyboard-interactive authentication
2021-07-08 11:59:18	Access granted

You can also scan it using nmap to confirm:

nmap -sV -sC <target>

https://nmap.org/nsedoc/scripts/sshv1.html

PeymanSarayeli22142 · ‎07-09-2021

@Marvin Rhoads Thanks a lot for your answer.

Mike.Cifelli · ‎07-08-2021

To view SSH run-config from FTD CLI: >show running-config ssh

You can manage/configure ssh settings via platform settings within FMC under a Threat Defense Settings policy (FMC->Devices->Platform Settings: Threat Defense Settings->Secure Shell). I know in older versions of FMC this is where you could specify/show which versions are configured. I have FMC 6.7 now and that capability is not present, which leads me to believe that it automagically uses v2. However, I am not sure how to view/extract that nor do I know of any official documentation stating that.

PeymanSarayeli22142 · ‎07-09-2021

@Mike.Cifelli Thanks for your answer.

I have also searched a lot in this regard but I could not find anything useful.

But I think Marvin's solution helps in this case.

CiscoPurpleBelt · ‎03-23-2023

Old post but was going through this as well. I like what @Marvin Rhoads showed, but trying to SSH via v1 also generates an error which could be used as demo as well.