Here's a Cisco link to improve SSH protocol in a Cisco device. One of our Cisco switch was flagged for using a weak SSH protocol. I hardened it using SSH version 2 and a Diffie Hellman key size of 2048. You can safely reconfigure SSH settings on the fly and it won't break your current remote SSH session.
Switch#show ip ssh
SSH Enabled - version 1.99 // SSH VERSION 1
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD
7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234
<OUTPUT TRUNCATED>
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#crypto key generate rsa general-keys modulus 2048
% You already have RSA keys defined named Switch.lab.com.
% They will be replaced.
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 10 seconds)
Switch(config)#ip ssh version 2
Switch(config)#ip ssh time-out 60
Switch(config)#ip ssh authentication-retries 3
Switch(config)#end
The DH key size is still 1024 bits. You need to configure the additional command ip ssh dh min size 2048 in order enforce it.
Switch#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD
7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234
<OUTPUT TRUNCATED>
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
client Configuration for client
dh Diffie-Hellman
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
precedence IP Precedence value for SSH traffic
pubkey-chain pubkey-chain
rekey Configure rekey values
rsa Configure RSA keypair name for SSH
server Configuration for server
source-interface Specify interface for source address in SSH connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be supported
Switch(config)#ip ssh dh ?
min minimum
Switch(config)#ip ssh dh min ?
size key size
Switch(config)#ip ssh dh min size ?
1024 Diffie Group 1 1024-bit key
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key
Switch(config)#ip ssh dh min size 2048
Switch(config)#end
Switch#write memory
Building configuration...
Compressed configuration from 14884 bytes to 7248 bytes[OK]
Switch#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD
7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234
<OUTPUT TRUNCATED>
No comments:
Post a Comment