Re: Cisco Catalyst C9300-24T : Encryption & Cipher Support

RS19 · ‎01-28-2024

Below is the output from Cisco Catalyst C9300 for command show run all | in ssh
Currently it has the below configuration.
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
ip ssh server algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

In addition to the above is it possible to add the below. I dont want to replace the above. Can the below commands co-exists ? Will it work ? Pls let me know

ip ssh client algorithm kex diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256
ip ssh server algorithm kex diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256
----------------------------------------------------------------------------------
show run all | in ssh
netconf-yang ssh port 830
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh window-size 8192
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 2048
no ip ssh rekey time
no ip ssh rekey volume
ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
no ip ssh server peruser session limit
ip ssh server certificate profile
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
ip ssh server algorithm authentication publickey keyboard password
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa
ip ssh client algorithm mac hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
transport input ssh

RS19 · ‎01-28-2024

Any help

liviu.gheorghe · ‎01-28-2024

Hello @RS19 ,

I see that the only option you have are:

(config)#ip ssh client algorithm kex ?
curve25519-sha256@libssh.org Curve 25519 key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm
ecdh-sha2-nistp256 ECDH_SHA2_P256 ecdh key exchange algorithm
ecdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm
ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm

Regards, LG
*** Please Rate All Helpful Responses ***

RS19 · ‎01-29-2024

You checked in which model & which IOS version ?

RS19 · ‎01-29-2024

Also is it possible to have the below existing and also the other kex like ecdh-sha2-nistp256 ECDH_SHA2_P256 ecdh

ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

Can both co-exists ?

liviu.gheorghe · ‎01-29-2024

Yes, it can:

SW_EVO_LAB(config)#ip ssh client algorithm kex ?
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm
ecdh-sha2-nistp256 ECDH_SHA2_P256 ecdh key exchange algorithm
ecdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm
ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm

SW_EVO_LAB(config)#ip ssh client algorithm kex ecdh-sha2-nistp256 ?
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm
ecdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm
ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm
<cr> <cr>

SW_EVO_LAB(config)#ip ssh client algorithm kex ecdh-sha2-nistp256 diffie-hellman-group14-sha1 ?
ecdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm
ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm
<cr> <cr>

SW_EVO_LAB(config)#ip ssh client algorithm kex ecdh-sha2-nistp256 diffie-hellman-group14-sha1 ecdh-sha2-nistp384 ?
ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm
<cr> <cr>

SW_EVO_LAB(config)#ip ssh client algorithm kex ecdh-sha2-nistp256 diffie-hellman-group14-sha1 ecdh-sha2-nistp384 ecdh-sha2-nistp521
SW_EVO_LAB(config)#^Z
SW_EVO_LAB#sho ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2974043851
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4mH5U6RlTdcVT21QSWlFIbY6A3rn3JMwXBglBDhAN
cAa7QyyW8od8FhELCCCRG91Hem3s89pl2qR4rs+6j2ydirq+Yf0JZkZS98T5N+dgUscgJB9YvmShCPyU
vxmrQm/0r6KV1dgkXN+5KayuhXZYSGIgeNwuUPrUmEL7ntrOwxTQgCgf2XTDSwxhDGZKUL8p9v7sqx+4
LjyGqJ5laBnWMD7d0dYNXfZStuOCg8Oc+dB6AjUcfLE3KdZM23bh1h0hZtMg+8RfYaoTWviqJeB3qtwo
U/7yndIw1fnTfoVafKk+OalX2BGMoLooi+jhW3moEv3AtL7OzBizmcIKmTXr

Regards, LG
*** Please Rate All Helpful Responses ***

liviu.gheorghe · ‎01-29-2024

C9200L-48P-4G 17.03.04b CAT9K_LITE_IOSXE

Regards, LG
*** Please Rate All Helpful Responses ***

RS19 · ‎01-30-2024

Will it be applicable on Catalyst9300-24T-A running IOS :16.9.3

liviu.gheorghe · ‎01-31-2024

In 16.x.x, tested with 16.12.4, you only have available:

PROD(config)#ip ssh client algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

Regards, LG
*** Please Rate All Helpful Responses ***

RS19 · ‎02-01-2024

which model of switch you are testing this ?

RS19 · ‎02-20-2024

Do you have 16.9.X IOS to test it ?
If does not work with 16.12.4 it will not work with 16.9.3. Hope my understanding is right.

RS19 · ‎02-19-2024

Yes I have the same model and same IOS it works.

But I want to check it on Catalyst9300-24T-A with IOS ver 16.9.3

I want to confirm if this is supported or not ?

liviu.gheorghe · ‎02-20-2024

I don't have a switch with 16.9.3 in order to check, but already checked in 16.12.x and the options you are looking for are not available. In my opinion it's hard to believe that they are available in a even older image than 16.12.x.

Regards, LG
*** Please Rate All Helpful Responses ***

RS19 · ‎02-20-2024

ok got it . Thanks.

Since I can not test it, was looking for some evidence to show case it to my management that it is not possible ?

RS19 · ‎01-31-2024

In my environment in C9300 it is running in IOS 16.9. So I believe it will not be supported the below

diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256

Any idea from which IOS the above will be supported ?