Buy or Renew
Buy or Renew
This forum is no longer in read-only mode. See this post for updates
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1539
Views
0
Helpful
7
Replies

Verify SSH1/SSH2 Version on SG350?

jwgs6
Level 1
Level 1

‎09-16-2024 10:50 AM

A scan has suggested that an SG350 ver 2.5.9.16 switch is running SSH 1.3 or 1.5 and that it should be disabled. However, it doesn't appear to be running this version. If I enter show ip ssh then I get this output:

  • SSH Server enabled. Port: 22
  • RSA key was generated.
  • DSA(DSS) key was generated.
  • SSH Public Key Authentication is disabled.
  • SSH Password Authentication is enabled.

It doesn't state the version. Connections are refused in putty when using SSH 1. When I look at both keys, they are SSH2. 

I've seen in other threads that you can enter ip ssh ver 2 in configuration mode but ip ssh ? shows that "version" is not an option. I'm also not seeing "SSH Enabled - version 2.0" in the sh ip ssh output.

How can I be 100% certain that this switch isn't allowing any SSH 1.3/1.5 connections if putty isn't able to connect with SSH1? Is it possible to generate an SSH1 key and see if the switch allows it?

1 person had this problem
0 Helpful
7 Replies 7

Mark Elsen
Hall of Fame
Hall of Fame

‎09-17-2024 12:10 AM

 

      - This could be useful  :  % nmap --script ssh2-enum-algos SG350
                                                       nmap -sV SG350



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

jwgs6
Level 1
Level 1
In response to Mark Elsen

‎09-17-2024 10:17 AM

I appreciate the response but I can't really do that without triggering a SYN attack on the device. Is there some way on the Cisco device itself that would confirm if SSH1 is running? As stated previous, all I can see is that SSH is running but nothing regarding versions.

Thanks.

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to jwgs6

‎09-17-2024 10:33 AM

 

                                       %  nmap -sV SG350 
          is the preferred command ; this will not trigger  a syn attack ,
         (the first one might do that but this one won't)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

jwgs6
Level 1
Level 1
In response to Mark Elsen

‎09-17-2024 11:39 AM

I tried again with -p 22 and it doesn't appear that SSHv1 is seen in nmap's sshv1 script. Maybe it really isn't SSHv1 enabled.

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to jwgs6

‎09-17-2024 12:31 PM

 

 - Normally for that command you don't need the '-p 22' option ; then it will list the version of all services that it can find on the SG , 

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Adam Tauno Williams
Level 1
Level 1

‎08-01-2025 10:15 AM

I am on the current firmware (2.5.9.54) and there still does not appear to be an option to disable SSH v1/v1.5.

0 Helpful

ahollifield
VIP
VIP
In response to Adam Tauno Williams

‎08-01-2025 11:04 AM

These are small business switches and are severely limited in their feature sets.

https://www.cisco.com/c/en/us/products/collateral/switches/350-series-managed-switches/eos-eol-notice-c51-2442364.html

0 Helpful
Customers Also Viewed These Support Documents