Re: SSH Weak Key Exchange Algorithms

bluesea2010 · ‎07-04-2023

Hi,

How to disable Weak Key Exchange Algorithms here ?

sh run all | in ssh
aaa authentication login ssh group radius local
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 1024
no ip ssh rekey time
no ip ssh rekey volume
ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes128-ctr aes256-ctr
ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc

sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes256-ctr
MAC Algorithms:hmac-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDOwIb+mbLHxWbEr7sEg62f1t689oz+QuCOO7+AVhCa
HNQikUAbkXba1jNVvTAiPi50yDl6mXFYed0eSNxzuTn/Az1prWjeSHZvRgpA9FmOMufA9V9upRXDCUgt
QmL+FbdaIjInv9bQAdAQVPXr071zcDH/FzvB4xkpUyhruXZ1Kw==

Thanks

marce1000 · ‎07-04-2023

- Check this thread : https://community.cisco.com/t5/switching/how-to-disable-ssh-weak-key-exchange-algorithm/td-p/4537520

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎07-05-2023

ip ssh server algorithm mac hmac-sha1 <<- this is weak you need to use hmac-sha-192

bluesea2010 · ‎07-05-2023

Hi

ip ssh server algorithm mac hmac-sha1 hmac-sha1-96 , I have only these two options

Thanks

MHM Cisco World · ‎07-05-2023

let me check what is platform you use and IOS/IOS XE ?