cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable weak SSH chipper and CBC on the ICX switches

Chandini
RUCKUS Team Member

Here the switch model used is 7150 series and firmware running are 8095c.

Run “show ip ssh config” to view all SSH details.

Device#show ip ssh config

SSH server                 : Enabled

SSH port                   : tcp\22

Host Key                   : RSA 2048

Encryption                 : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc

Permit empty password      : No

Authentication methods     : Password, Public-key, Interactive

Authentication retries     : 3

Login timeout (seconds)    : 120

Idle timeout (minutes)     : 5

SCP                        : Enabled

SSH IPv4 clients           : All

SSH IPv6 clients           : All

SSH IPv4 access-group      :

SSH IPv6 access-group      :

SSH Client Keys            :

Client Rekey               : 0 Minute, 0 KB

Server Rekey               : 0 Minute, 0 KB

 

To disable weak SSH cipher:

The diffie-hellman-group1-sha1 key exchange method is a weaker algorithm and can be disabled using the “no ip ssh key-exchange-method dh-group1-sha1” command.

Command:

  • Device(config)#no ip ssh key-exchange-method dh-group1-sha1

To disable CBC encryption mode:

Command:

  • Device(config)# ip ssh encryption disable-aes-cbc

Output after disabling CBC encryption mode:

ICX7150-24F Switch(config)#show ip ssh config

SSH server                 : Enabled

SSH port                   : tcp\22

Host Key                   : RSA 2048

Encryption                 : aes256-ctr, aes192-ctr, aes128-ctr

Permit empty password      : No

Authentication methods     : Password, Public-key, Interactive

Authentication retries     : 3

Login timeout (seconds)    : 120

Idle timeout (minutes)     : 5

SCP                        : Enabled

SSH IPv4 clients           : All

SSH IPv6 clients           : All

SSH IPv4 access-group      :

SSH IPv6 access-group      :

SSH Client Keys            :

Client Rekey               : 0 Minute, 0 KB

Server Rekey               : 0 Minute, 0 KB

 

Reference links below:

Enabling SSH

Viewing SSH

Disabling telnet Access

Disable CBC

Disable weak SSH cipher:

 

4 REPLIES 4

Dejeh1
New Contributor

Thanks, but how do you enable a stronger exchange method?

most likely by first switching to a recent os version. 10.0.20 supports most current encryptio & key exchange options - which supports the following:

 

SSH@campus-core(config)#ip ssh key-exchange-method
ASCII string Enter algorithms separated by a space:
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
curve25519-sha256@libssh.org
diffie-hellman-group14-sha1
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
SSH@campus-core(config)#ip ssh ho
host-key-method SSH host key method
SSH@campus-core(config)#ip ssh host-key-method
ASCII string Enter algorithms separated by a space:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-rsa
SSH@campus-core(config)#ip ssh enc
encryption SSH encryption algorithm support
SSH@campus-core(config)#ip ssh encryption
ASCII string Enter algorithms separated by a space:
aes256-cbc
aes192-cbc
aes128-cbc
aes256-ctr
aes192-ctr
aes128-ctr
3des-cbc

Thanks, not sure if the 7250, 7150 and 7450 would a recent OS version other than 8095. Do you happen to have the command to enable a stronger exchange for this version.

i don't think it's possible to enable more recent ssh ciphers on 809, but most of your devices seem to support at least 09.0.10 , which seems to support more recent options.

see 09.0.10j_cd2 release notes.