Solved: Re: Disabling weak ssh encryption on MDS

twielgos · ‎05-29-2025

My InfoSec team is complaining that my MDS9250i's with version 8.4(2c) are allowing weak encryption standards.

My research seems to indicate the standard command to fix this is 'ip ssh ...' in config mode, but this command does not exist on my switch:

MDS9250i-A(config)# ip ssh server algorithm
                        ^
% Invalid command at '^' marker.

What's the proper way to do this?

Jens Albrecht · ‎05-29-2025

Hello @twielgos,

the Security Configuration Guide for software versions 8.x does not include information about the ciphers used or the commands you could use to change them.

According to the Security Configuration Guide for software versions 9.x, these versions use strong algorithms by default.
The versions 9.x also allow you to customize the SSH cryptographic algorithms as mentioned by @marce1000, however that section includes the following note:

"Customizing SSH cryptographic algorithms are supported with x86-based MDS 9000 series switches only.
However, this feature is not supported with MDS 9250i, MDS 9148S, and MDS 9396S switches."

So an upgrade to version 9.x will enable strong algorithms by default but you will not be able to customize them.

EDIT:

The current recommended release 9.4(3a) does offer SSH customization on these platforms as feature parity has been introduced with release 9.4(2) according to an update from @Jason Mooney.

HTH!

View solution in original post

Jason Mooney · ‎05-30-2025

Hi @twielgos,

It appears there's some confusion regarding how to manage weak ssh ciphers and macs for the MDS S-Series and 9250i switches.

I'm excited to report that starting in NX-OS 9.4(2) support for customizing these on these platforms was added based on customer feedback. The current recommended release is NX-OS 9.4(3a), which can be found in the MDS NX-OS Recommended Release document.

As @jen pointed out, the MDS 9000 Security Configuration Guide for earlier 9.x versions (specifically around the NX-OS 9.4(1) timeframe) included a note stating that Cisco doesn't support changing the ciphers and macs on the mentioned platforms (MDS 9250i, MDS 9148S, and MDS 9396S). This note was accurate for releases prior to NX-OS 9.4(2), as these platforms did not initially have the same feature parity for SSH customization as other MDS products when 9.x was first released.

Jens', I've filed a documentation bug CSCwp31201 today to ensure the guide is updated to reflect the support added in NX-OS 9.4(2) and later. Please allow 2-3 business days for this bug ID to become publicly visible. And thank you again for pointing out the discrepancy!

Have a wonderful day,
-Jason

View solution in original post

marce1000 · ‎05-29-2025

- For this platform use or try to use :
switch (config)# ssh ciphers ?
Choose desired option
Ensure that ssh cipher-mode weak is disabled before enabling aes256-gcm. (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Jens Albrecht · ‎05-29-2025

Hello @twielgos,

the Security Configuration Guide for software versions 8.x does not include information about the ciphers used or the commands you could use to change them.

According to the Security Configuration Guide for software versions 9.x, these versions use strong algorithms by default.
The versions 9.x also allow you to customize the SSH cryptographic algorithms as mentioned by @marce1000, however that section includes the following note:

"Customizing SSH cryptographic algorithms are supported with x86-based MDS 9000 series switches only.
However, this feature is not supported with MDS 9250i, MDS 9148S, and MDS 9396S switches."

So an upgrade to version 9.x will enable strong algorithms by default but you will not be able to customize them.

EDIT:

The current recommended release 9.4(3a) does offer SSH customization on these platforms as feature parity has been introduced with release 9.4(2) according to an update from @Jason Mooney.

HTH!

Jason Mooney · ‎05-30-2025

Hi @twielgos,

It appears there's some confusion regarding how to manage weak ssh ciphers and macs for the MDS S-Series and 9250i switches.

I'm excited to report that starting in NX-OS 9.4(2) support for customizing these on these platforms was added based on customer feedback. The current recommended release is NX-OS 9.4(3a), which can be found in the MDS NX-OS Recommended Release document.

As @jen pointed out, the MDS 9000 Security Configuration Guide for earlier 9.x versions (specifically around the NX-OS 9.4(1) timeframe) included a note stating that Cisco doesn't support changing the ciphers and macs on the mentioned platforms (MDS 9250i, MDS 9148S, and MDS 9396S). This note was accurate for releases prior to NX-OS 9.4(2), as these platforms did not initially have the same feature parity for SSH customization as other MDS products when 9.x was first released.

Jens', I've filed a documentation bug CSCwp31201 today to ensure the guide is updated to reflect the support added in NX-OS 9.4(2) and later. Please allow 2-3 business days for this bug ID to become publicly visible. And thank you again for pointing out the discrepancy!

Have a wonderful day,
-Jason

Jens Albrecht · ‎05-30-2025

Hi @Jason Mooney,

thanks for this update!
It is indeed good news that you listen to customer feedback and now offer feature parity for SSH customization on these platforms.

Regards, Jens