Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30484
Views
0
Helpful
6
Replies

Can I disable Weak Encryption Algorithms on SSH

Go to solution
KritsadaSaengsiri9911
Level 1
Level 1

‎11-25-2019 08:04 PM

Hi

I have switch 3850 and open SSH 

My Audit scan ssh found  Encryption Algorithms vulnerability 

Can I disable Weak Encryption Algorithms 3des-cbc ,aes128-cbc ,aes192-cbc ,aes256-cbc and disable message authentication code MD5 and 96-bit MAC algorithms ?

if i closing this weak Encryption is there any effect to switch operation

5 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎11-25-2019 09:31 PM

Hi

You can use the following command to enable encryption if your choice:
ip ssh server algorithm encryption

For mac, the command would be:
ip ssh server algorithm mac

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎11-25-2019 09:31 PM

Hi

You can use the following command to enable encryption if your choice:
ip ssh server algorithm encryption

For mac, the command would be:
ip ssh server algorithm mac

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
julian.bendix
Level 3
Level 3

‎11-26-2019 02:12 AM

Hi!

to my knowledge, the only way to prevent the Switch from offering weak algorithms is the following:

(example) conf#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

You can add all the algorithms you want to use in the command, just chain them after another.
This way you tell the Switch to only use those anymore.

Does this answer the question?

Let me know.
Best regards!

0 Helpful

Go to solution
suvitha.chandrashekar
Level 1
Level 1
In response to julian.bendix

‎01-26-2022 05:59 AM

Hello Julian,

 

How about Cisco MDS series command ?

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎11-26-2019 04:19 AM

Hello,

 

on a side note, you could create a menu that would allow users to only configure the encryption algorithms that you want to allow. So, effectively, a 'weak' algorithm could never be configured. Not sure in how far that would comply with the audit...

0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎03-04-2022 01:49 PM - edited ‎03-04-2022 01:58 PM

Hi Very interesting question. I would like to know which cipher is weak? I received message which says its cipher is weak in the switch. Its configuration shows nothing over there by command "show run | i ssh server". That means at least one of cipher is weak, But the question is we do not know which one is weak among these cipher so that we cannot just indicate strong one instead of weak. Please see the below. If all of them are strong one, why it says weak? Thank you

 

IDF1-Switch#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

 

0 Helpful

Go to solution
jayu
Level 1
Level 1
In response to Leftz

‎07-20-2023 01:06 PM

Anything with 3DES or CBC are considered obsolete.  

0 Helpful
Customers Also Viewed These Support Documents