cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
442
Views
5
Helpful
10
Replies
Kudo123
Beginner

Disable CBC Cipher of SSH Server on Cisco Catalyst 2960 / 4506

Hi All,

 

I would like to disable some weak cipher on Cisco 2960 / 4506 but seems no command(s) for removing such ciphers ( e.g. ip

ssh server algorithm encryption XXX ), does anyone could kindly help me on this ? Thanks so much for this.

 

Model: WS-C2960+24TC-L

OS: 15.0(2)SE11 ( c2960-lanbasek9-mz.150-2.SE11.bin )

 

Model: WS-C4506-E

OS: 15.0(2)SG7 ( cat4500-entservicesk9-mz.150-2.SG7.bin )

 

Switch(config)#ip ssh server ?
% Unrecognized command

 

10 REPLIES 10
pman
Participant

If the IOS-device is running at least 15.5(2), then it's possible to disable unwanted algorithms. In security-audits, all CBC-ciphers are often a problem.

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

Dear pman,

 

Refer to the post, there is command "ip ssh server algorithm encryption XXX" with IOS, but this command could not found in my Cisco Catalyst 2960 & 4506, I am not sure if it is relate to IOS version or model .

 

pman
Participant

Hope this helps a bit,

 

Table 1 Feature Information for SSH Algorithms for Common Criteria CertificationFeature NameReleasesFeature Information

SSH Algorithms for Common Criteria Certification

Cisco IOS 15.5(2)T

Cisco IOS 15.5(2)S

The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so that SSH connections can be limited on the basis of the allowed algorithms list.

The following commands were introduced by this feature: ip ssh {server | client} algorithm encryption, ip ssh {server | client} algorithm mac.

 

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html

Dear pman,

 

Thanks for reply.

 

But I tried the command in the switch but fail as below, not sure if it is relate to IOS version or model .

 

Test Result

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#ip ssh server ?
% Unrecognized command
Switch(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
precedence IP Precedence value for SSH traffic
pubkey-chain pubkey-chain
rekey Configure rekey values
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be supported

Switch(config)#end

 

Ok on what switch you trying this ?  (2K or 4K)

 

can you post below output :

 

show version

show ip ssh 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Hi,

 

I have 2 switch that are Cisco Catalyst 2960 & 4506, and the CLI outcome are as below, thanks for your help.

 

Cisco 2960

Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE11, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 19-Aug-17 09:34 by prod_rel_team

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)

Switch uptime is 16 weeks, 2 days, 6 hours, 16 minutes
System returned to ROM by power-on
System restarted at 08:38:00 HK Tue Jun 29 2021
System image file is "flash:/c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960+24TC-L (PowerPC405) processor (revision B0) with 131072K bytes of memory.
Processor board ID XXX
Last reset from power-on
2 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : XXX
Motherboard assembly number : XXX
Power supply part number : XXX
Motherboard serial number : XXX
Power supply serial number : XXX
Model revision number : B0
Motherboard revision number : B0
Model number : WS-C2960+24TC-L
System serial number : XXX
Top Assembly Part Number : XXX
Top Assembly Revision Number : C0
Version ID : V01
CLEI Code Number : XXX
Hardware Board Revision Number : 0x0B


Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960+24TC-L 15.0(2)SE11 C2960-LANBASEK9-M


Configuration register is 0xF

Switch#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa XXX

 

Cisco 4506

Switch#show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 15.0(2)SG7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 01-May-13 18:06 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x123AB54C

ROM: 12.2(31r)SGA2
Dagobah Revision 226, Swamp Revision 34

npdm2rtc01 uptime is 1 year, 13 weeks, 5 days, 13 hours, 44 minutes
System returned to ROM by reload
System restarted at 01:13:24 HK Fri Jul 17 2020
System image file is "bootflash:/cat4500-entservicesk9-mz.150-2.SG7.bin"
Last reload reason: Reload command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C4506-E (MPC8245) processor (revision 4) with 524288K bytes of memory.
Processor board ID XXX
MPC8245 CPU at 400Mhz, Supervisor V
Last reset from Reload
83 Virtual Ethernet interfaces
26 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

Switch#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

 

Kudo123
Beginner

Is anyone could kindly help on this ? Thanks so much.

Hi,

 

As I mentioned above, including a quote of the version.
Your version does not support this feature

 

SSH Algorithms for Common Criteria Certification

Cisco IOS 15.5(2)T

Cisco IOS 15.5(2)S

The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so that SSH connections can be limited on the basis of the allowed algorithms list.

The following commands were introduced by this feature: ip ssh {server | client} algorithm encryption, ip ssh {server | client} algorithm mac.

 

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html

Hi,

 

Thanks for your information.