Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
10
Helpful
4
Replies

IP SSH version 2

johnlloyd_13
Level 9
Level 9

‎06-12-2020 01:24 AM

hi,

just a sanity check here.

is it safe to issue 'ip ssh version 2'? will it "break" or lock me out of the router?

all VTY lines only allows SSH.

Router#show ip ssh
SSH Enabled - version 1.99

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-12-2020 01:40 AM

Hello @johnlloyd_13 ,

it should be safe you just need to use recent client software for Putty or SecureCRT that support SSH version 2 that is considered more secure.

When you do the test do not close the original vty session and try to open an additional window to verify the new settings and the ability to access the device.

 

Hope to help

Giuseppe

 

Deepak Kumar
VIP Alumni
VIP Alumni

‎06-12-2020 02:57 AM

Hi,

It is safe but you must fulfill requirements as ssh client must be updated that can support all required encryption algorithms.

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

joelm
Level 1
Level 1
In response to Deepak Kumar

‎06-16-2020 10:46 AM - edited ‎06-16-2020 10:48 AM 

router#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits

To see what algorithms your device(s) support.  Make sure one of these is listed in the SSH client you are using.  More than likely it is, but can't hurt to check.

0 Helpful

paul driver
VIP
VIP

‎06-16-2020 02:40 PM - edited ‎06-16-2020 02:50 PM

Hello

No it won't lock you out of your current session or future session from any terminal emulation software but it could for future ssh sessions between network devices - such has switch to switch or router etc..running different versions

One thing i am aware of from very recently is if you change

the the ssh authentication/mac algorithms then that can and does lock you out of future sessions from switch to switch or router etc but again not from any terminal emulation software 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card