02-23-2022 09:01 AM
A Nessus scan reported several of our devices are allowing weak key exchange algorithms and I have been asked to disable them. I have specifically been asked to disable:
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
on all devices. I've read various posts and I'm still not sure how to do this. I have found devices where the 'show ip ssh' is essentially the same, but one reports the vulnerability and one doesn't. I have been trying to apply:
crypto key generate rsa label SSH-KEY modulus 2048
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
ip ssh dh min size 2048
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm mac hmac-sha1
line vt 0 15
transport input ssh
everywhere, but this doesn't s
02-23-2022 09:08 AM
Not sure what is this device here ?
Follow below guide to disable :
https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html
02-23-2022 09:20 AM
The devices are mostly stacks of 2960Xs and 4500X VSS pairs. I think I've already applied everything in that link, but I'll go over it again carefully.
02-23-2022 09:27 AM
also post the output here for us to understand what keys are there. reset RSA keys by making zero and creating new RSA key with higher bit to be consider.
make sure you do using right access method to change RSA in case you like to go with that option
02-23-2022 11:15 AM
I can post whatever is needed. Do you need the output from 'show ip ssh'?
02-23-2022 04:22 PM
yes also suggest to post show run and show ip ssh
11-02-2022 02:04 PM
I fixed my issue!
Issue: SSH Server Supports Weak Key Exchange Algorithms:22
Fix cli - ip ssh serv alg kex diffie-hellman-group14-sha1
Make sure you can open another ssh session into your device after you put the command in, so you don't lock yourself out.
Reccomend to do this also:
ip ssh time-out 15
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256 <<<this will have error and can’t use putty if I use a higher one
ip ssh server algorithm encryption aes256-ctr
11-10-2022 08:32 AM
added 3 of the statements above and it did resolve my ssh failures on scan........thanks for providing a solution
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide