04-27-2009 06:32 AM - edited 03-04-2019 04:32 AM
Hi,
I would like to know if the following IOS version only supports ssh v.1.99 or if it supports true ssh v.2.
The IOS is 12.4(13r)T
Our Nessus scans continue to kick back the vulnerability due to the 1.99 option which allows version 1 ssh connections. I believe we may have purchased the incorrect IOS image for the router.
If not, how do I allow the router to only accept version 2 connections?
ip ssh version 2.0 at the CLI continues to report back as v1.99
thanks,
Jim
04-27-2009 08:52 AM
Can you try if the following command is supported:
(config)#ip ssh version 2
04-27-2009 09:00 AM
Jim
Release 12.4T should support SSH version 2, assuming that it supports SSH.
I have seen a couple of situations where IOS seems to have gotten confused and was not enabling version 2 as desired. If that is your case I would suggest that you remove the version 2 specification (no ip ssh version 2), then regenerate the RSA keys used for SSH (perhaps zeroize the key and then regenerate it is you want to be very thorough), then enable version 2 with ip ssh version 2. I have seen situations where doing this did resolve the issue. I do not know if that is your issue but it would be worth trying.
HTH
Rick
04-27-2009 10:07 AM
Once I stepped through the your comments on the router, version 2 (only, not v1.99) now shows.
I have also tested by trying to connect via SSH 1 client and am not able to connect.
thanks,
Jim
04-27-2009 10:19 AM
Jim
I am glad that my suggestions were able to help you to resolve your issue.
HTH
Rick
04-27-2009 10:05 AM
Yes, command is supported.
04-27-2009 09:00 AM
v1.99 is the default SSH output when running v1 and v2. I've covered the outputs you get for each version on this thread http://tinyurl.com/c7uydc
Can you post the output from typing show version?
__
Edison.
04-27-2009 09:48 AM
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3i), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 28-Nov-07 21:09 by stshen
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
TT_HQ_2821_CR_1 uptime is 1 week, 2 days, 3 hours, 39 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.124-3i.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2821 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FTX1221A2MM
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
04-27-2009 12:23 PM
Edison is right.
Version 1.99 = Mixed Mode SSHv1&2
Version 1.50 = Only SSHv1
Version 2.00 = Only SSHv2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide