11-20-2023 10:32 PM
In my Cisco IOS version 15.2(3)T4, CBC mode cipher is enabled.
I am looking for suggestions to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
11-21-2023 12:02 AM
@khushboo your IOS version might be too old to support the stronger ciphers and the commands, but try -
ip ssh server algorithm encryption aes256-gcm aes256-ctr aes192-ctr aes128-gcm
11-21-2023 12:11 AM
Hi Rob, these commands are not supported in my router.
I am getting multiple vulnerabilities related to weak ciphers and algorithms.
SSH Weak Key Exchange Algorithms Enabled |
SSH Server CBC Mode Ciphers Enabled |
SSH Weak MAC Algorithms Enabled |
I did configure dh with size 2048, but all vulnerabilities still exisiting.
#sh run all | i ssh
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh break-string ~break
ip ssh version 2
ip ssh dh min size 2048
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
transport preferred ssh
transport input telnet ssh
transport output ssh
transport preferred ssh
transport input ssh
transport output ssh
Router#sh ip ssh
Load for five secs: 0%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, 16:08:05.840 ACDT Tue Nov 21 2023
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtgKXH5mtk+v3HhXVKJJpOwB4JL/cxxaeq1RL+0m7A
....................
I can see only below allowed configs.
(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
precedence IP Precedence value for SSH traffic
pubkey-chain pubkey-chain
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be supported
11-21-2023 12:15 AM
@khushboo like I said your IOS is so old it probably will not support the stronger SSH ciphers. If you cannot upgrade the software because the hardware is EOL, then you'd have to replace the hardware. What hardware do you have?
11-21-2023 12:17 AM - edited 11-21-2023 12:29 AM
@Rob Ingram It is Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(3)T4, RELEASE SOFTWARE (fc2)
#sh ver
Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 16:32:21.082 ACDT Tue Nov 21 2023
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(3)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 04-Sep-13 13:59 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
adl-iin-lon-corp-guest1 uptime is 3 years, 15 weeks, 3 days, 12 hours, 21 minutes
System returned to ROM by power-on
System restarted at 02:53:51 ACDT Wed Aug 5 2020
System image file is "flash:c1900-universalk9-mz.SPA.152-3.T4.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FGL170422RM
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1921/K9 FGL170422RM
Technology Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data datak9 Permanent datak9
11-21-2023 12:24 AM
enable CTR or GCM cipher mode encryption
if that is intention you can welcome to go ahead, but make sure other system you use to connect to router able to use same level of Cncryption.
11-21-2023 12:26 AM - edited 11-21-2023 12:26 AM
what will be the commands to enable this as I am having older Cisco software
11-21-2023 12:35 AM
@khushboo I checked my 1921 running 15.7 and it supports AES-CTR. The command hightlighted in bold below does not appear to be available in your IOS version so you will need to upgrade the software.
Router#show ver | i Version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.7(3)M, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
Router#show run | i ssh
ip ssh version 2
ip ssh server algorithm encryption aes256-ctr aes192-ctr
https://software.cisco.com/download/home/282977114/type/280805680/release/15.7.3M9
11-21-2023 12:39 AM
@Rob Ingram what should be the minimum software version to support this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide