Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
4
Replies

SSH Weak Key Exchange Algorithms Enabled on WS-C3850-12s

feude.dieudonne.leumaleu
Beginner
Beginner

‎02-03-2022 06:08 AM

Hello All,

How can i disable this vulnerability: The remote SSH server is configured to allow weak key exchange algorithms on cisco C3850-12s

 

any help is more than appreciated!

 

Thanks

Labels:
0 Helpful
4 Replies 4

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

‎02-03-2022 06:13 AM 

How can i disable this vulnerability: The remote SSH server is configured to allow weak key exchange algorithms on cisco C3850-12s

what vulnerability ? do you have some logs or information ?

 

suggest to go with ssh v2

 

post some information what is running on the device :

show version

show ip ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

feude.dieudonne.leumaleu
Beginner
Beginner
In response to balaji.bandi

‎02-04-2022 05:14 AM

#show ip ssh

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-265129979
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDDeWgXXMoJVWhUjCciXEKAqoFSCp2Msfdc00t/qF82
PTju5BuLhAjyomJOhcgOst9KpbXHq6WR1eAFo+jS3NM9pME9VNd5uwtR7ZnehEewkNt8pTBSDO3ib0nk
RynT+8RYfvMesT/EOpHuWVgQmfhnxyCfgwQ+qaivNbm+m4QFbQ==

 

 

#show Version: Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Thu 25-Mar-21 13:09 by mcpre

 

as you can see above . my device is running already SSH V2

 

 

0 Helpful

feude.dieudonne.leumaleu
Beginner
Beginner
In response to feude.dieudonne.leumaleu

‎02-04-2022 05:15 AM

The remote SSH server is configured to allow weak key exchange algorithms.

https://vscan.secintel.ibm.com/vscan/refs/refs.php?vuln_id=491043

0 Helpful

Jitendra Kumar
Rising star
Rising star

‎02-04-2022 04:42 AM

Hi,

 

#/etc/ssh/sshd_config
#man sshd_config


copy Ciphers on the notepad and put it into the single line saprated by comma.

Copy MACs also on the notepad and put it also into to the singal line seprated by comma.

then edit file using below command

#vi /etc/ssh/sshd_config


Search Cipher and copy Cipher and MACs and past it into end line of cipher.

Save file

#systemctl restart sshd


thanks,
Jitendra

Thanks,
Jitendra
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents