Openssh version in NX-OS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2014 07:04 AM - edited 03-01-2019 07:33 AM
Hello,
Is there any document that describes which version of openssh is used in NX-OS releases?
I have some security scans that report openssh vulnerabilities, and I'd like to know if upgrading NX-OS will help me solving these issues.
Thanks,
Regards,
lang
- Labels:
-
Other Data Center Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2024 03:58 AM
Hi Jeff,
Happy to confirm our SecOps team today have confirmed the OpenSSH vulnerability has now updated within our scanning system and its now marked as fixed. So the version I posted earlier 10.3(6)M does appear to resolve the issue.
I spoke to Alejandro from Cisco TAC also on this and he provided the following on how to check/validate what version of SSH you are running :-
To validate if a switch is running a fixed version of CiscoSSH you can do the following:
1. Enable "feature bash-shell"
2. Do "run bash"
3. From bash do "/isan/sbin/dcos_sshd -V"
4. If running CiscoSSH 1.13 or higher the device has the patch.
Example:
nxos64-cs.10.3.6.F.bin
F241.04.23-N9K-1(config)# feature bash-shell
F241.04.23-N9K-1(config)#
F241.04.23-N9K-1(config)# run bash
bash-4.4$ /isan/sbin/dcos_sshd -V
unknown option -- V
CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.2.569 >>>>>>>>>>>>>>>>>>>>>>>CiscoSSH 1.13.48
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
bash-4.4$
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2024 06:50 AM
Thank you for letting me know. I will get the 10.3(6)M loaded on my switches too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2024 06:57 AM - edited 12-02-2024 07:02 AM
No problem at all, if you run the commands from Cisco TAC before/after upgrade to validate - your looking for output that tells you the CiscoSSH version and OpenSSH version, Cisco were saying anything over CiscoSSH version 1.13.x has resolved this vulnerability and if your security software still returns an issue its a "false positive".
Our systems (after 10.3(6)M) were showing CiscoSSH 1.13.48
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2024 07:09 AM
Mine running 10.5.1 is showing: CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.3.377-fips
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2024 07:17 AM
Then you are good on that version from what Cisco explained to me.

- « Previous
-
- 1
- 2
- Next »