Re: Removing SSH Weak Ciphers SDWAN Router Controller Mode

billburns · ‎01-04-2024

On the SDWAN routers that are in controller mode, I need to remove HMAC-SHA1 from the list of options for SSH to connect. Is there a template that would be used to modify SSH, like a CLI template. I am looking to push the equivalent commands down to the routers.

ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp384

MHM Cisco World · ‎01-04-2024

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge-20-x/security-book/config-sec-param.html

Ruben Cocheno · ‎01-04-2024

@billburns

Disable Weak SSH Encryption Algorithms on Cisco SD-WAN Manager Using CLI

From the Cisco SD-WAN Manager menu, choose Tools > SSH Terminal.
Choose the Cisco SD-WAN Manager device on which you wish to disable weaker SSH algorithms.
Enter the username and password to log in to the device.

Enter SSH server mode.

vmanage# config terminal

vmanage(config)# system

vmanage(config-system)# ssh-server

Do one of the following to disable an SSH encryption algorithm:

Disable SHA-1:

vmanage(config-ssh-server)# no kex-algo sha1

vmanage(config-ssh-server)# commit

The following warning message is displayed:

The following warnings were generated:
'system ssh-server kex-algo sha1': WARNING: Please ensure all your edges run code version > 18.4.6 which negotiates better than SHA1 with vManage. Otherwise those edges may become offline.
Proceed? [yes,no] yes

Ensure that any Cisco vEdge devices in the network are running Cisco SD-WAN Release 18.4.6 or later and enter yes.

Disable AES-128 and AES-192:

vmanage(config-ssh-server)# no cipher aes-128-192

vmanage(config-ssh-server)# commit

The following warning message is displayed:

The following warnings were generated:
'system ssh-server cipher aes-128-192': WARNING: Please ensure all your edges run code version > 18.4.6 which negotiates better than AES-128-192 with vManage. Otherwise those edges may become offline.
Proceed? [yes,no] yes

Ensure that any Cisco vEdge devices in the network are running Cisco SD-WAN Release 18.4.6 or later and enter yes.

Verify that Weak SSH Encryption Algorithms Are Disabled on Cisco SD-WAN Manager Using the CLI

From the Cisco SD-WAN Manager menu, choose Tools > SSH Terminal.
Select the Cisco SD-WAN Manager device you wish to verify.
Enter the username and password to log in to the device.
Run the following command:
```
show running-config system ssh-server
```
Confirm that the output shows one or more of the commands that disable weaker encryption algorithms:
- no cipher aes-128-192
- no kex-algo sha1

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

billburns · ‎01-04-2024

Thank you for the link. Does it matter that these devices are cEdge and not vEdge like the document references? I log into vManage SSH Terminal with a local account but still can not issue "config t" because the router is in Controller Mode. My vManage is 20.10.1 and my cEdges are 17.9.3a.

Kanan Huseynli · ‎01-05-2024

Hi,

use CLI-add on template, copy paste regular CLI commands and add this CLI-add on template to device template.

Push new config and re-check. Below are commands that you mentioned:

ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp384

This is the method to push supported commands to devices which are not directly supported by feature templates. But I didn't find them in qualified command list. You may try, just be careful if it is production environment.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

billburns · ‎01-09-2024

Thanks Kanan. This was my original thought but I didnt find the commands in the qualified command list. I figured I ask here first because my deployment doesnt have a test site to test features like this.

Kanan Huseynli · ‎01-09-2024

I checked on 20.13 controller with 17.11 CSR8000v:

Even though in show run all I see lots of related default commands, there is no way to modify this list right now.

Because these commands are pure autonomous mode commands:

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

billburns · ‎01-12-2024

Thanks for going the extra mile and loading up 20.13 and 17.11. This is what I love about this community.

I opened up a TAC case just to hear it from Cisco and now I have documentation. There is a bug with SDWAN and not being about to change SSH settings.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh76478

Kanan Huseynli · ‎01-12-2024

Yes, exactly. Either non-supported feature in controller mode (basically, coded like that) or as you mentioned it is bug that it is not supported. And now based on link we understand that lack of feature is in reality related to bug.

Thanks for sharing answer from TAC.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikehaynes5@gmail.com · ‎02-16-2024

Hey guys, i opened a TAC as well. They have placed an enhancement order. Hopefully we'll here something soon.