Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3260
Views
1
Helpful
4
Replies

Cisco Switch - SSH version 2 - MAC Algorithms

Go to solution
pacionet
Level 1
Level 1

‎02-15-2024 04:54 AM - edited ‎02-15-2024 04:56 AM

We have a cisco switch:

Cisco IOS XE Software, Version 17.13.01

with SSH 2 Enabled:

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KEX Algorithms:curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-787425290
Modulus Size : 2048 bits

A librenms plugin (oxidized) failed to ssh because "cannot settle on HMAC algorithms".

The same plugin can connect to other switches which have the following configuration:

SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2868021980

Is it possibile to "downgrade" SSH version or add the missing MACs?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
liviu.gheorghe
VIP
VIP

‎02-15-2024 11:29 AM

Hello @pacionet ,

on the switch with the problem, can you try adding the missing algorithms:

C8000v(config)#ip ssh client algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-15-2024 07:40 AM

 

 - Have a look into https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-16-5/sec-usr-ssh-xe-16-5-book/sec-secure-shell-algorithm-ccc.html#task_D34E7302F94347C3B9FD1558D6ED812D and order select you ciphers as supported by the ibrenms plugin

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
liviu.gheorghe
VIP
VIP

‎02-15-2024 11:29 AM

Hello @pacionet ,

on the switch with the problem, can you try adding the missing algorithms:

C8000v(config)#ip ssh client algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

Go to solution
pacionet
Level 1
Level 1
In response to liviu.gheorghe

‎02-16-2024 02:06 AM

Thanks the command was right but I should enter "server" 

ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512

Go to solution
liviu.gheorghe
VIP
VIP
In response to pacionet

‎02-16-2024 02:19 AM

From the description I thought that the switch was trying to authenticate to some other device.

In this case, other device authenticating on the switch, you need the command ip ssh server algorithm mac ....

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful
Top