Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
4
Replies

SSH Weak Key Exchange Algorithms Enabled on WS-C3850-12s

feude.dieudonne.leumaleu
Level 1
Level 1

‎02-03-2022 06:08 AM

Hello All,

How can i disable this vulnerability: The remote SSH server is configured to allow weak key exchange algorithms on cisco C3850-12s

 

any help is more than appreciated!

 

Thanks

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-03-2022 06:13 AM 

How can i disable this vulnerability: The remote SSH server is configured to allow weak key exchange algorithms on cisco C3850-12s

what vulnerability ? do you have some logs or information ?

 

suggest to go with ssh v2

 

post some information what is running on the device :

show version

show ip ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

feude.dieudonne.leumaleu
Level 1
Level 1
In response to balaji.bandi

‎02-04-2022 05:14 AM

#show ip ssh

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-265129979
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDDeWgXXMoJVWhUjCciXEKAqoFSCp2Msfdc00t/qF82
PTju5BuLhAjyomJOhcgOst9KpbXHq6WR1eAFo+jS3NM9pME9VNd5uwtR7ZnehEewkNt8pTBSDO3ib0nk
RynT+8RYfvMesT/EOpHuWVgQmfhnxyCfgwQ+qaivNbm+m4QFbQ==

 

 

#show Version: Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Thu 25-Mar-21 13:09 by mcpre

 

as you can see above . my device is running already SSH V2

 

 

0 Helpful

feude.dieudonne.leumaleu
Level 1
Level 1
In response to feude.dieudonne.leumaleu

‎02-04-2022 05:15 AM

The remote SSH server is configured to allow weak key exchange algorithms.

https://vscan.secintel.ibm.com/vscan/refs/refs.php?vuln_id=491043

0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎02-04-2022 04:42 AM

Hi,

 

#/etc/ssh/sshd_config
#man sshd_config


copy Ciphers on the notepad and put it into the single line saprated by comma.

Copy MACs also on the notepad and put it also into to the singal line seprated by comma.

then edit file using below command

#vi /etc/ssh/sshd_config


Search Cipher and copy Cipher and MACs and past it into end line of cipher.

Save file

#systemctl restart sshd


thanks,
Jitendra

Thanks,
Jitendra
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card