cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
0
Helpful
5
Replies

Verify SSH1/SSH2 Version on SG350?

jwgs6
Level 1
Level 1

A scan has suggested that an SG350 ver 2.5.9.16 switch is running SSH 1.3 or 1.5 and that it should be disabled. However, it doesn't appear to be running this version. If I enter show ip ssh then I get this output:

  • SSH Server enabled. Port: 22
  • RSA key was generated.
  • DSA(DSS) key was generated.
  • SSH Public Key Authentication is disabled.
  • SSH Password Authentication is enabled.

It doesn't state the version. Connections are refused in putty when using SSH 1. When I look at both keys, they are SSH2. 

I've seen in other threads that you can enter ip ssh ver 2 in configuration mode but ip ssh ? shows that "version" is not an option. I'm also not seeing "SSH Enabled - version 2.0" in the sh ip ssh output.

How can I be 100% certain that this switch isn't allowing any SSH 1.3/1.5 connections if putty isn't able to connect with SSH1? Is it possible to generate an SSH1 key and see if the switch allows it?

5 Replies 5

marce1000
VIP
VIP

 

      - This could be useful  :  % nmap --script ssh2-enum-algos SG350
                                                       nmap -sV SG350



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I appreciate the response but I can't really do that without triggering a SYN attack on the device. Is there some way on the Cisco device itself that would confirm if SSH1 is running? As stated previous, all I can see is that SSH is running but nothing regarding versions.

Thanks.

 

                                       %  nmap -sV SG350 
          is the preferred command ; this will not trigger  a syn attack ,
         (the first one might do that but this one won't)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I tried again with -p 22 and it doesn't appear that SSHv1 is seen in nmap's sshv1 script. Maybe it really isn't SSHv1 enabled.

 

 - Normally for that command you don't need the '-p 22' option ; then it will list the version of all services that it can find on the SG , 

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Review Cisco Networking for a $25 gift card