cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
253
Views
1
Helpful
1
Replies

SSH Weak Key Exchange Algorithms Enabled in Catalyst 3850 48 Port PoE

Minato
Level 1
Level 1

Cisco switch Catalyst 3850 48 Port PoE - Vulnerability

can any one help me to fix the issue

test#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes256-ctr,aes128-ctr
MAC Algorithms:hmac-sha1
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1611723854
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDDVe73ODoAh3O6V8eWto+k4oqGyoHIr6RYQOikubUy
qcNg4rG38y2zd/8lBXEal4kNwN6mfVZ2XiijcFMJdkO8csLfATMQETm2Z4yLcHZQNaTTHcxWsudxbBSd
tXZscw4Ysg1vyah3BEx1RhJWcHagVh+xl/BJXnzy/3xcU6SXvw==
test#

1 Reply 1

@Minato you may need to upgrade your IOS-XE version to support the latest crypto. Use the following commands:-

ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-gcm aes256-ctr aes192-ctr aes128-gcm 
ip ssh server algorithm kex ecdh-sha2-nistp384 ecdh-sha2-nistp256

This post covers securing IOS-XE SSH in more detail - https://integrate.uk.com/securing-ios-xe-ssh/

 

Review Cisco Networking for a $25 gift card