06-07-2024 09:05 AM
Windows 11 (cli) no longer negotiates ssh with our Cisco C1000 catalyst switches without a work around:
ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -c aes256-ctr <username>@<ip address>
but after researching, it appears that Microsoft is doing this because the diffie-hellman algorithms are no longer current/secure enough to support.
1. Is there a way to get the C1000 to support more current algorithms that Windows 11 does support natively in the cmd window?
2. Is this only a problem with the C1000 line, in other words, do other catalyst switches support more current algorithms
Thanks
06-07-2024 09:14 AM
check the ciphers support - depends on the version of code you using.
show ip ssh show you what ciphers supported, use SSH v2
06-07-2024 09:21 AM
Thanks for your quick reply BB.
We are already on ssh v2, and when I do show ip ssh, I only see "KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1"
My main question was - can I add more secure key exchange algorithms to this switch, or are they "baked into" the IOS? Also, the second part of that was - what catalyst switch would I need to upgrade to in order to be current?
06-07-2024 10:58 AM
if you have option to add ciphers as i suggested URL and you get option you can add with the command.
look at - Restrictions for Configuring Secure Shell
what catalyst switch would I need to upgrade to in order to be current?
Cat 9200 for Layer 2, Cat 9300 more advanced options.
06-07-2024 10:34 AM
Also, an internal vulnerability scan by an auditor stated that we needed to "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.". is there a config change that can require this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide