Solved: Disable SSH Algorithms on CISCO Switches

Clay Kolden - RTC · ‎09-05-2025

Our CISCO 9300 Catalyst switch has a weak SSH algorithms like KEX and MAC ciphers. Specifically the ones listed below and replace them with non-deprecated algorithms. The instructions I have found have been misleading and commands are inaccurate. Any advice would be greatly appreciated.
KEX:
diffie-hellman-group-exchange-sha1 (2048-bit)

diffie-hellman-group14-sha1

MAC:
hmac-sha1

hmac-sha1-96

Jens Albrecht · ‎09-05-2025

Hello @Clay Kolden - RTC,

you can use the following commands to add or delete algorithms:

Sw01(config)#ip ssh server algorithm ?
  authentication  User authentication methods advertised to client
  encryption      Encrytption algorithms advertised to other party
  hostkey         Hostkey publickey algorithms advertised to client
  kex             KEX algorithms advertised to other party
  mac             MAC algorithms advertised to other party
  publickey       Acceptable publickey algorithms for User authentication

For the KEX and MAC algorithms you have many options:

Sw01(config)#ip ssh server algorithm kex ?
  curve25519-sha256              Curve 25519 key exchange algorithm
  curve25519-sha256@libssh.org   Curve 25519 key exchange algorithm old name
  diffie-hellman-group14-sha1    DH_GRP14_SHA1 diffie-hellman key exchange
                                 algorithm
  diffie-hellman-group14-sha256  DH_GRP14_SHA256 diffie-hellman key exchange
                                 algorithm
  diffie-hellman-group16-sha512  DH_GRP16_SHA512 diffie-hellman key exchange
                                 algorithm
  ecdh-sha2-nistp256             ECDH_SHA2_P256 ecdh key exchange algorithm
  ecdh-sha2-nistp384             ECDH_SHA2_P384 ecdh key exchange algorithm
  ecdh-sha2-nistp521             ECDH_SHA2_P521 ecdh key exchange algorithm

Sw01(config)#ip ssh server algorithm mac ?
  hmac-sha1                      HMAC-SHA1 (digest length = 160 bits,key length
                                 = 160 bits)
  hmac-sha2-256                  HMAC-SHA2-256 (digest length = 256 bits, key
                                 length = 256 bits)
  hmac-sha2-256-etm@openssh.com  HMAC-SHA2-256-ETM (digest length = 256 bits,
                                 key length = 256 bits)
  hmac-sha2-512                  HMAC-SHA2-512 (digest length = 512 bits, key
                                 length = 512 bits)
  hmac-sha2-512-etm@openssh.com  HMAC-SHA2-512-ETM (digest length = 512 bits,
                                 key length = 512 bits)

Sw01(config)#

Options might vary with the software version you use, but you can adjust those algorithms as needed.

HTH!

View solution in original post

Jens Albrecht · ‎09-05-2025

Hello @Clay Kolden - RTC,

you can use the following commands to add or delete algorithms:

Sw01(config)#ip ssh server algorithm ?
  authentication  User authentication methods advertised to client
  encryption      Encrytption algorithms advertised to other party
  hostkey         Hostkey publickey algorithms advertised to client
  kex             KEX algorithms advertised to other party
  mac             MAC algorithms advertised to other party
  publickey       Acceptable publickey algorithms for User authentication

For the KEX and MAC algorithms you have many options:

Sw01(config)#ip ssh server algorithm kex ?
  curve25519-sha256              Curve 25519 key exchange algorithm
  curve25519-sha256@libssh.org   Curve 25519 key exchange algorithm old name
  diffie-hellman-group14-sha1    DH_GRP14_SHA1 diffie-hellman key exchange
                                 algorithm
  diffie-hellman-group14-sha256  DH_GRP14_SHA256 diffie-hellman key exchange
                                 algorithm
  diffie-hellman-group16-sha512  DH_GRP16_SHA512 diffie-hellman key exchange
                                 algorithm
  ecdh-sha2-nistp256             ECDH_SHA2_P256 ecdh key exchange algorithm
  ecdh-sha2-nistp384             ECDH_SHA2_P384 ecdh key exchange algorithm
  ecdh-sha2-nistp521             ECDH_SHA2_P521 ecdh key exchange algorithm

Sw01(config)#ip ssh server algorithm mac ?
  hmac-sha1                      HMAC-SHA1 (digest length = 160 bits,key length
                                 = 160 bits)
  hmac-sha2-256                  HMAC-SHA2-256 (digest length = 256 bits, key
                                 length = 256 bits)
  hmac-sha2-256-etm@openssh.com  HMAC-SHA2-256-ETM (digest length = 256 bits,
                                 key length = 256 bits)
  hmac-sha2-512                  HMAC-SHA2-512 (digest length = 512 bits, key
                                 length = 512 bits)
  hmac-sha2-512-etm@openssh.com  HMAC-SHA2-512-ETM (digest length = 512 bits,
                                 key length = 512 bits)

Sw01(config)#

Options might vary with the software version you use, but you can adjust those algorithms as needed.

HTH!

Clay Kolden - RTC · ‎09-05-2025

Hi Jens, Thanks for replying.

My main issue and the reason I reached out is because the switch is not recognizing these commands. As shown Below. I am unaware of what exactly would be causing this.

Jens Albrecht · ‎09-05-2025

Hi @Clay Kolden - RTC,

you need to enter global config mode for these commands.

As you can see at my previous post the prompt looks like 'Sw01(config)#'.

In order to get there you need the command 'configure terminal', the prompt will change to 'INSIDE-9300(Config)#' and then you can enter the commands I mentioned before.

when you are done, you leave the global config mode with the command 'exit' and then save the configuration with the command 'copy running-config startup-config'.

HTH!

Clay Kolden - RTC · ‎09-05-2025

Ah, I see now. Thank you so much for your help!

Jens Albrecht · ‎09-05-2025

You're welcome! We are here to help.

MHM Cisco World · ‎09-05-2025

Sorry I missed you not enter config mode.

MHM

Stefan Mihajlov · ‎09-05-2025

@Clay Kolden - RTC

On IOS-XE you remove weak SSH options by explicitly defining the strong ones. Use:

ip ssh server algorithm kex … → pick only DH-group16/18 or ECDH (sha2).
ip ssh server algorithm mac … → allow only hmac-sha2 (256/512).
Optionally set AES-CTR ciphers.

After that, show ip ssh server algorithm will confirm SHA1 and old DH groups are gone.

–––
Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.