cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
503
Views
10
Helpful
4
Replies
johnlloyd_13
Engager

IP SSH version 2

hi,

just a sanity check here.

is it safe to issue 'ip ssh version 2'? will it "break" or lock me out of the router?

all VTY lines only allows SSH.

Router#show ip ssh
SSH Enabled - version 1.99

4 REPLIES 4
Giuseppe Larosa
Hall of Fame Master

Hello @johnlloyd_13 ,

it should be safe you just need to use recent client software for Putty or SecureCRT that support SSH version 2 that is considered more secure.

When you do the test do not close the original vty session and try to open an additional window to verify the new settings and the ability to access the device.

 

Hope to help

Giuseppe

 

Deepak Kumar
VIP Advocate

Hi,

It is safe but you must fulfill requirements as ssh client must be updated that can support all required encryption algorithms.

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

router#show ip ssh
SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 2048 bits

To see what algorithms your device(s) support.  Make sure one of these is listed in the SSH client you are using.  More than likely it is, but can't hurt to check.

paul driver
VIP Mentor

Hello

No it won't lock you out of your current session or future session from any terminal emulation software but it could for future ssh sessions between network devices - such has switch to switch or router etc..running different versions

One thing i am aware of from very recently is if you change

the the ssh authentication/mac algorithms then that can and does lock you out of future sessions from switch to switch or router etc but again not from any terminal emulation software 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future