topic How to disable weak SSH chipper and CBC on the ICX switches in RUCKUS Self-Help

How to disable weak SSH chipper and CBC on the ICX switches

Chandini — Tue, 29 Aug 2023 17:54:56 GMT

Here the switch model used is 7150 series and firmware running are 8095c.

Run “show ip ssh config” to view all SSH details.

Device#show ip ssh config

SSH server : Enabled

SSH port : tcp\22

Host Key : RSA 2048

Encryption : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc

Permit empty password : No

Authentication methods : Password, Public-key, Interactive

Authentication retries : 3

Idle timeout (minutes) : 5

SCP : Enabled

SSH IPv4 clients : All

SSH IPv6 clients : All

SSH IPv4 access-group :

SSH IPv6 access-group :

SSH Client Keys :

Client Rekey : 0 Minute, 0 KB

Server Rekey : 0 Minute, 0 KB

To disable weak SSH cipher:

The diffie-hellman-group1-sha1 key exchange method is a weaker algorithm and can be disabled using the “no ip ssh key-exchange-method dh-group1-sha1” command.

Command:

Device(config)#no ip ssh key-exchange-method dh-group1-sha1

To disable CBC encryption mode:

Command:

Device(config)# ip ssh encryption disable-aes-cbc

Output after disabling CBC encryption mode:

ICX7150-24F Switch(config)#show ip ssh config

SSH server : Enabled

SSH port : tcp\22

Host Key : RSA 2048

Encryption : aes256-ctr, aes192-ctr, aes128-ctr

Permit empty password : No

Authentication methods : Password, Public-key, Interactive

Authentication retries : 3

Idle timeout (minutes) : 5

SCP : Enabled

SSH IPv4 clients : All

SSH IPv6 clients : All

SSH IPv4 access-group :

SSH IPv6 access-group :

SSH Client Keys :

Client Rekey : 0 Minute, 0 KB

Server Rekey : 0 Minute, 0 KB

Reference links below:

Enabling SSH

https://docs.commscope.com/bundle/fastiron-09010-securityguide/page/GUID-8AAB14D8-A662-493A-8504-F7457B9BED02_1.html

Viewing SSH

https://docs.commscope.com/bundle/fastiron-09010-securityguide/page/GUID-CA1D6AD1-861E-49B3-8CC3-2C14BBA51136.html

Disabling telnet Access

https://docs.commscope.com/bundle/fastiron-08030-securityguide/page/GUID-0352E51C-3BF4-4F44-9853-466821A8E83E.html

Disable CBC

https://docs.commscope.com/bundle/fastiron-08030-adminguide/page/GUID-FFF3988D-6510-4D9E-B134-D484DB6BFE7C.html

Disable weak SSH cipher:

https://docs.commscope.com/bundle/fastiron-08090-securityguide/page/GUID-E6D5CCBB-B8BA-4818-B589-8FA464F2D4B6.html

Re: How to disable weak SSH chipper and CBC on the ICX switches

Dejeh1 — Mon, 17 Jun 2024 15:36:53 GMT

Thanks, but how do you enable a stronger exchange method?

Re: How to disable weak SSH chipper and CBC on the ICX switches

inphobia — Tue, 18 Jun 2024 03:00:16 GMT

most likely by first switching to a recent os version. 10.0.20 supports most current encryptio & key exchange options - which supports the following:

SSH@campus-core(config)#ip ssh key-exchange-method
ASCII string Enter algorithms separated by a space:
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
curve25519-sha256@libssh.org
diffie-hellman-group14-sha1
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
SSH@campus-core(config)#ip ssh ho
host-key-method SSH host key method
SSH@campus-core(config)#ip ssh host-key-method
ASCII string Enter algorithms separated by a space:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-rsa
SSH@campus-core(config)#ip ssh enc
encryption SSH encryption algorithm support
SSH@campus-core(config)#ip ssh encryption
ASCII string Enter algorithms separated by a space:
aes256-cbc
aes192-cbc
aes128-cbc
aes256-ctr
aes192-ctr
aes128-ctr
3des-cbc

Re: How to disable weak SSH chipper and CBC on the ICX switches

Dejeh1 — Tue, 18 Jun 2024 15:08:28 GMT

Thanks, not sure if the 7250, 7150 and 7450 would a recent OS version other than 8095. Do you happen to have the command to enable a stronger exchange for this version.

Re: How to disable weak SSH chipper and CBC on the ICX switches

inphobia — Wed, 19 Jun 2024 23:47:34 GMT

i don't think it's possible to enable more recent ssh ciphers on 809, but most of your devices seem to support at least 09.0.10 , which seems to support more recent options.

see 09.0.10j_cd2 release notes.