For example, let's say I want to allow 3DES but not DES. Can I do that? I don't see any options in the IOS Security Configuration Guide or Reference, or in the O'Reilly IOS Cookbook...
Thanks in advance, Heath
For example, let's say I want to allow 3DES but not DES. Can I do that? I don't see any options in the IOS Security Configuration Guide or Reference, or in the O'Reilly IOS Cookbook...
Thanks in advance, Heath
Heath Roberts wrote:
You have control over the version of SSH used on the Cisco device. e.g.: ip ssh version 2
I just did a capture and found the following on the Server Key Exchange which suggests that the SSHv2 on my device, doesn't support single DES:
Take a look and see if you agree:
SSH Protocol SSH Version 2 Packet Length: 276 Padding Length: 4 Key Exchange Msg code: Key Exchange Init (20) Algorithms Cookie: A19351FD6DAA335B5A7EED46E647C9FB kex_algorithms length: 26 kex_algorithms string: diffie-hellman-group1-sha1 server_host_key_algorithms length: 7 server_host_key_algorithms string: ssh-rsa encryption_algorithms_client_to_server length: 41 encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc encryption_algorithms_server_to_client length: 41 encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc mac_algorithms_client_to_server length: 43 mac_algorithms_client_to_server string: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 mac_algorithms_server_to_client length: 43 mac_algorithms_server_to_client string: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 compression_algorithms_client_to_server length: 4 compression_algorithms_client_to_server string: none compression_algorithms_server_to_client length: 4 compression_algorithms_server_to_client string: none languages_client_to_server length: 0 languages_server_to_client length: 0 Payload: 0000000000 Padding String:
Best Regards, News Reader
string: none
string: none
Thanks. Restricting to v2 had occurred to me, since I don't think DES is typically included, but I don't see that formally spelled out anywhere, and I would prefer more positive control--what would we do if one of the other protocols is broken in the near future?
Any other options folks can think of?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.