Re: How to verify my cisco router is not running SSH v1.99

jomo frank · ‎08-03-2021

Hello Expert,

Our router was flag during an audit for having both ssh v 1.99 and ssh v2.00 running.

when I do sh ip ssh the following below :-

testf-1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-224155859
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3Z52WPzc3D4/u5132jZDB6neiVjtOOGEto7LTzyrq
6FZfjUCPze5lgYlXL9VwYmz8M6xM7mcFho7v4hKjNqXhcKnSkwJyMLKTUeHaf/93T4anUNqWJgVpBBnP
Oodsvs179Urjjl4RhX7Um/KXbvoFBGK5pIFK7jLX7sEqwgrc/aVNCXe7LQElqLsFtcjh1PV9XTTwQ00h
/ufMc/pElJgiJClDzbU6m5Rq5CWtQn30d42EA/m11lH0hmdruyPW5y+S1ltvE2sL9DKeCKssk60Hi+y4
ogHi+JZnRObCue6DPh8TIseAGavpmn/KQrT/wuB4Oma4O+dmS+TxJFZ2Y4fB

i cannot see any evidence of ssh ver 1.99 been active, hence I humbly ask your guidance since auditors insists that their audit software reveal that ssh ver 1.99 is available .

Regards

Georg Pauwen · ‎08-03-2021

Hello,

I think there is a command to reset the version to 1.99:

testf-1#conf t

testf-1(config)#no ip ssh version 1/2

jomo frank · ‎08-04-2021

Hello Georg,

I trying to disable ver 1.99 not enable, hence I looking for guidance disable 1.99 and just use 2.0.

Regard

Richard Burts · ‎08-04-2021

Perhaps it would be helpful to clarify that there is not a "version" 1.99 that you can enable or disable. When a device indicates 1.99 it is indicating that it supports both SSH version 1 and version 2. If you specify SSH version 2 it should disable version 1 and the device should no longer indicate 1.99.

HTH

Rick

johnlloyd_13 · ‎08-05-2021

hi,

SSH ver 1.99 is SSH version 1.

either you check manually on each device with 'show ip ssh' or run an namp scan specific for SSH.

you'll need permission from your IT management for running such script as it can potentially disrupt your network.

see helpful link for sample nmap scan or its GUI counterpart, zenmap:

https://wannabecybersecurity.blogspot.com/2018/03/port-scan-using-nmap-and-enable-iis-in.html?m=0

CSRv#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-808986070
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwIC5VtcAlvLOlElZKAB326SQPWS4UFqD6m2G3rxA6
e6TpYiSRRNN8UXSz9xwImZZ4+dmVWrG7GQ8eABlWBQ7SpxsWN3D+cv5Yga5/+XT6bk37lNeJIGnQmXED
Y9K8P9s3Dqe/dwF+YDKrm0S1LDrGACvk2RnfT3USQUhT9jpibAAetpmuzGI3eMV1oatuElOEjhXcIw+Y
oJ2iQDOEoFgVwsrNv7+nxhlYmsSAuAG0N8V3+LFuaP/Imdo12DoJC58Ln+V+VO/PFQ3FMPP3w9HE0pjq
JXaSD9yW/NQDhup1dxf4y0qr3Qq42bjF1kSEDuU5VrP0ptF+BUFrt/ltn7VB

CSRv#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CSRv(config)#ip ssh version ?
2 Protocol Version to be supported

CSRv(config)#ip ssh version 2
CSRv(config)#
CSRv(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-808986070
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwIC5VtcAlvLOlElZKAB326SQPWS4UFqD6m2G3rxA6
e6TpYiSRRNN8UXSz9xwImZZ4+dmVWrG7GQ8eABlWBQ7SpxsWN3D+cv5Yga5/+XT6bk37lNeJIGnQmXED
Y9K8P9s3Dqe/dwF+YDKrm0S1LDrGACvk2RnfT3USQUhT9jpibAAetpmuzGI3eMV1oatuElOEjhXcIw+Y
oJ2iQDOEoFgVwsrNv7+nxhlYmsSAuAG0N8V3+LFuaP/Imdo12DoJC58Ln+V+VO/PFQ3FMPP3w9HE0pjq
JXaSD9yW/NQDhup1dxf4y0qr3Qq42bjF1kSEDuU5VrP0ptF+BUFrt/ltn7VB

paul driver · ‎08-03-2021

Hello

looks like your are indeed running ver 2

so ask those auditors for proof regards that device running default 1.99 shh

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

marce1000 · ‎08-04-2021

- FYI : https://nmap.org/nsedoc/scripts/sshv1.html

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !