Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27519
Views
0
Helpful
17
Replies

Allow only ssh version 2 with aes256-cbc hmac-sha1 to IOS router

cisco24x7
Level 6
Level 6

‎07-17-2009 09:25 AM - edited ‎03-04-2019 05:28 AM

I have a requirement on my IOS router running IOS latest version of 12.4T.

I want to configure the router so that it only accepts ssh version 2 connection with aes256-cbc hmac-sha1. Every other ssh connections such as aes192-cbc hmac-sha1 or hmac-md5 will fail.

I can get this to work on a Unix/Linux box in less than 10 seconds. However, I am struggling to get this to work in IOS routers.

Anyone know how to do this? Thanks.

2 people had this problem
Labels:
0 Helpful
17 Replies 17

robertstrik84
Level 1
Level 1

‎07-05-2013 02:13 PM

With SSH from client side you can pick the encryption level, it’s weird though that client side dictates the encryption level.

And yes SSH v2 also works with 3des which is quite weak encryption. I’m quite surprised you can't force this on server side.

From client side you can do:

ssh -c aes256-cbc -l -m hmac-sha1-160 -l

example

ssh -c aes256-cbc -l admin 192.168.1.1

but

ssh -c 3des -l admin 192.168.1.1 will also work which obviously we dont want. (And 128-cbc and 192-cbc also)

At least you can protect yourself when you login this way.

0 Helpful

Richard Ascheri
Level 1
Level 1
In response to robertstrik84

‎07-24-2013 11:17 AM

Robert I understand that I can specify which cipher to use from the SSH client.

The problem that I am having is that I am trying to securely copy a file from a local host up into the Cisco Router, while being logged into the Cisco Router.

Router#   ip ssh version 2

Router#   ip scp server enable

Router#   copy  scp:user@remotehost/file   flash:file

When I do this command with Cisco IOS 15.2 it requires that I have 3des-cbc installed on the remotehost in order for the secure copy to proceed.

When I do this command with Cisco IOS 12.4 it works correctly without the 3des-cbc cipher installed on the remotehost.

It appears to me as though the secure copy feature in Cisco IOS 15.x is broken now. It seems that it ignores the ip ssh version 2 specification. Or does this specification only control the ssh session and not the secure copy session?

0 Helpful

asverma2
Cisco Employee
Cisco Employee

‎04-19-2016 12:44 AM

Just for the information : 

The option is available in.

Cisco IOS XE Software, Version 03.13.02.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.4(3)S2, RELEASE SOFTWARE (fc3)

using below CLI :

Router(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)


Router(config)#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card