Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3406
Views
0
Helpful
3
Replies

Disabling 3des-cbc for SSH

ER2022
Level 1
Level 1

‎03-07-2022 11:21 PM

Hi,

I would like to remove 3des-cbc for SSH as this was identified as deprecated ssh cryptographic settings.

does this mean if you disable 3des-cbc all the aes-cbc mode will be disable right?

And what is the impact on the switch operation?

 

3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode


Thank you in advance,

Elmani

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎03-07-2022 11:44 PM

You can make custom as mentioned below : (to mitigate the issue)  - make sure you running  SSHv2

 

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

 

Note : this suggestion based on the information, if this is not meet the requirement, provide what is the device and IOS coder running, along with show ip ssh output.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ER2022
Level 1
Level 1
In response to balaji.bandi

‎03-08-2022 12:11 AM

Thanks BB,

 

The target switch(WS-C3850-48P) is running on 03.03.01SE

and ip ssh output:

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits

 

The cipher for SSH is already existing as above, now if I remove 3des-cbc, this mean all aes-cbc will be remove as well?

and what is the impact on the switch operation?

 

0 Helpful

marce1000
VIP
VIP
In response to ER2022

‎03-08-2022 04:47 AM

 

           >...The cipher for SSH is already existing as above, now if I remove 3des-cbc, this mean all aes-cbc will be remove as well?

 - You can verify this , for instance , with : 

nmap --script ssh2-enum-algos ciscodevicename

 M. 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card