Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2628
Views
0
Helpful
1
Replies

Disabling 96-bit HMAC And MD5-based HMAC Algorithms in SDWAN Viptela Controller (vManage)

anoop_TechNW
Level 1
Level 1

‎01-30-2019 03:44 AM

Disabling 96-bit HMAC And MD5-based HMAC Algorithms in SDWAN Viptela Controller (vManage)

 

Customer ask is to disable the weak hmac-sha1-96 supported under SSH as this has hit as a critical error as part of Vulnerability Assessment Scan

 

cat /etc/ssh/sshd_config

Protocol 2

PasswordAuthentication yes

ChallengeResponseAuthentication no

UsePAM yes

UsePrivilegeSeparation yes

Compression yes

ClientAliveInterval 15

ClientAliveCountMax 4

UseDNS no

LoginGraceTime 300

MaxStartups 10:30:100

Banner /etc/issue

Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem netconf /usr/bin/vconfd_netconf_subsys

PubkeyAcceptedKeyTypes +ssh-dss

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

2 people had this problem
Labels:
0 Helpful
1 Reply 1

ekhabaro
Cisco Employee
Cisco Employee

‎01-30-2019 03:57 AM

Best option will be to reach your account team so they open enhancement request to exclude particular algorithms/make them configurable.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card