cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12549
Views
6
Helpful
7
Replies

Disabling SSH weak key exchange algorithms in IOS

spfister336
Level 2
Level 2

A Nessus scan reported several of our devices are allowing weak key exchange algorithms and I have been asked to disable them. I have specifically been asked to disable:

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1

on all devices. I've read various posts and I'm still not sure how to do this. I have found devices where the 'show ip ssh' is essentially the same, but one reports the vulnerability and one doesn't. I have been trying to apply:

crypto key generate rsa label SSH-KEY modulus 2048
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
ip ssh dh min size 2048
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm mac hmac-sha1
line vt 0 15
transport input ssh

everywhere, but this doesn't s 

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Not sure what is this device here ?

 

Follow below guide to disable :

 

https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

spfister336
Level 2
Level 2

The devices are mostly stacks of 2960Xs and 4500X VSS pairs. I think I've already applied everything in that link, but I'll go over it again carefully.

also post the output here for us to understand what keys are there. reset RSA keys by making zero and creating new RSA key with higher bit to be consider.

 

make sure you do using right access method to change RSA in case you like to go with that option

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I can post whatever is needed. Do you need the output from 'show ip ssh'?

yes also suggest to post show run and show ip ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Network713
Level 1
Level 1

I fixed my issue!

Issue: SSH Server Supports Weak Key Exchange Algorithms:22

Fix cli - ip ssh serv alg kex diffie-hellman-group14-sha1

Make sure you can open another ssh session into your device after you put the command in, so you don't lock yourself out.

 

Reccomend to do this also:

ip ssh time-out 15

ip ssh authentication-retries 2

ip ssh version 2

ip ssh server algorithm mac hmac-sha2-256    <<<this will have error and can’t use putty if I use a higher one

ip ssh server algorithm encryption aes256-ctr 

ronaldrapp7190
Level 1
Level 1

added 3 of the statements above and it did resolve my ssh failures on scan........thanks for providing a solution

Review Cisco Networking for a $25 gift card