cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
114681
Views
80
Helpful
13
Replies

Disabling SSH CBC cipher on Cisco routers/switches

vvujicevic
Level 1
Level 1

Hello,

Our client ordered PenTest, and as a feedback they got recommendation to "Disable SSH CBC Mode Ciphers, and allow only CTR ciphers" and "Disable weak SSH  MD5 and 96-bit MAC algorithms" on their Cisco 4506-E switches with CIsco IOS 15.0

I have gone through Cisco documentation that i could find, also tried to find the commands on the switches itself but i found no way manipulate these SSH options. (SSH v2 only is already configured) 

 

Is there any way to do   this on Cisco IOS? If not what are my alternatives?

2 Accepted Solutions

Accepted Solutions

You can use an external server for authentication. But that won't change anything in encryption.

RADIUS will be fine for Authentication, if you are also looking for strong authorization, you should look into TACACS+.

Back to you original problem:

Some/long time ago a customer had a similar problem and solved it the following way:

  1. All routers and switches had an access-class that only allowed two Linux-servers to access the devices by SSH.
  2. The SSH-server was accessed by the admins and used as a jump-point to access the routers/switches
  3. The linux-servers had a modified ssh-server config to only allow strong crypto from the Admins and also to audit the admin-work.

With that, there was strong crypto from the admin-workstations to the linux-server and quite weak crypto from the linux box to the routers switches (that was at the 2950/3900XL-times). But as the linux-boxes were positioned in the management-network, the all over risk was reduced.

View solution in original post

thiland
Level 3
Level 3

This is finally available in Cisco ASA as of 9.1(7), 9.4(3), 9.5(3), and 9.6(1) with a basic hardened config such as:

ssh version 2
ssh cipher encryption custom "aes128-ctr:aes192-ctr:aes256-ctr"
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
ssh timeout 60
show ssh ciphers

EDIT: Changed "high" template for SSH to explicit ciphers

 

TLS1.2 can also be configured similarly, although the "high" template doesn't remove all weaker ciphers (PFS is preferred with ECDHE or DHE as long as the self-signed or public certificate key strength is > 1024-bits), so you have to make it custom:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl dh-group group14
ssl ecdh-group group20

EDIT: Updated ciphers and added ECDH group.  Also note that Cisco IP phones running DTLSv1 may need a matching TLSv1.2 cipher (they don't work when using TLSv1.2 ECDHE cipher + a weaker DTLSv1 cipher).

 

IOS-based devices starting with 15.5(2)T can use:

ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes128-ctr aes256-ctr

I read Karsten's link after I wrote this and it has many more details, so consider the above cliff notes.

View solution in original post

13 Replies 13

Based on your version you are quite limited in what you can configure. I wrote a little guide for the SSH-config:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

Thanks for the reply.

So theres no way i can configure this on Cisco... thought so

Is there any other way, like using some kind of server and redirecting SSH authentication to it? Our client already has RADIUS server, can we use that? 

You can use an external server for authentication. But that won't change anything in encryption.

RADIUS will be fine for Authentication, if you are also looking for strong authorization, you should look into TACACS+.

Back to you original problem:

Some/long time ago a customer had a similar problem and solved it the following way:

  1. All routers and switches had an access-class that only allowed two Linux-servers to access the devices by SSH.
  2. The SSH-server was accessed by the admins and used as a jump-point to access the routers/switches
  3. The linux-servers had a modified ssh-server config to only allow strong crypto from the Admins and also to audit the admin-work.

With that, there was strong crypto from the admin-workstations to the linux-server and quite weak crypto from the linux box to the routers switches (that was at the 2950/3900XL-times). But as the linux-boxes were positioned in the management-network, the all over risk was reduced.

Thank you, we will probably try something similar, although i doubt it will help with future PenTests as CBC will still be enabled.

 

Thanks again

Well, when the device doesn't answer a SSH-request, there will be no cipher to negotiate. At least not from the general network. ;-)

Thanks

thiland
Level 3
Level 3

This is finally available in Cisco ASA as of 9.1(7), 9.4(3), 9.5(3), and 9.6(1) with a basic hardened config such as:

ssh version 2
ssh cipher encryption custom "aes128-ctr:aes192-ctr:aes256-ctr"
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
ssh timeout 60
show ssh ciphers

EDIT: Changed "high" template for SSH to explicit ciphers

 

TLS1.2 can also be configured similarly, although the "high" template doesn't remove all weaker ciphers (PFS is preferred with ECDHE or DHE as long as the self-signed or public certificate key strength is > 1024-bits), so you have to make it custom:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl dh-group group14
ssl ecdh-group group20

EDIT: Updated ciphers and added ECDH group.  Also note that Cisco IP phones running DTLSv1 may need a matching TLSv1.2 cipher (they don't work when using TLSv1.2 ECDHE cipher + a weaker DTLSv1 cipher).

 

IOS-based devices starting with 15.5(2)T can use:

ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes128-ctr aes256-ctr

I read Karsten's link after I wrote this and it has many more details, so consider the above cliff notes.

Hi,

 

Is there any chance of disaling SSL in version 12.2 on Cisco 3750 series switch.

 

Thank You,


Raja.

For cisco Catalyst 4500 (WS-C4507R+E) there is not a IOS-based devices starting with 15.x, the releases are 3.x ... the command are avilable in some of this releases or there are other special commands for 4500?

Well done

A few additional/stronger options in IOS-XE 16 (example from 16.12):

ip ssh dh min size 2048
ip ssh server algorithm encryption aes256-ctr aes128-ctr
ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm kex diffie-hellman-group14-sha1
ip ssh client algorithm encryption aes256-ctr aes128-ctr

SSH server ciphers can be verified with nmap 7.8:

nmap --script ssh2-enum-algos 10.11.12.13

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-21 08:40 MST
Nmap scan report for 10.11.12.13
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (1)
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (2)
| aes256-ctr
| aes128-ctr
| mac_algorithms: (1)
| hmac-sha2-256
| compression_algorithms: (1)
|_ none
179/tcp filtered bgp

@thiland Will i lose my ssh connection if i entered below command on cisco asa

 

ssh version 2
ssh cipher encryption custom "aes128-ctr:aes192-ctr:aes256-ctr"

 

@thiland Can you pls help me regarding my query.