|
Posted by Heath Roberts on April 17, 2008, 4:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Heath Roberts wrote:
> > For example, let's say I want to allow 3DES but not DES. Can I do
> > that? I don't see any options in the IOS Security Configuration Guide
> > or Reference, or in the O'Reilly IOS Cookbook...
>
> > Thanks in advance,
> > Heath
>
> You have control over the version of SSH used on the Cisco device. e.g.:
> ip ssh version 2
>
> I just did a capture and found the following on the Server Key Exchange
> which suggests that the SSHv2 on my device, doesn't support single DES:
>
> Take a look and see if you agree:
>
> SSH Protocol
> =A0 =A0 =A0SSH Version 2
> =A0 =A0 =A0 =A0 =A0Packet Length: 276
> =A0 =A0 =A0 =A0 =A0Padding Length: 4
> =A0 =A0 =A0 =A0 =A0Key Exchange
> =A0 =A0 =A0 =A0 =A0 =A0 =A0Msg code: Key Exchange Init (20)
> =A0 =A0 =A0 =A0 =A0 =A0 =A0Algorithms
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Cookie: A19351FD6DAA335B5A7EED46E647C9F=
B
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0kex_algorithms length: 26
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0kex_algorithms string: diffie-hellman-g=
roup1-sha1
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0server_host_key_algorithms length: 7
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0server_host_key_algorithms string: ssh-=
rsa
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0encryption_algorithms_client_to_server =
length: 41
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0encryption_algorithms_client_to_server =
string:
> aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0encryption_algorithms_server_to_client =
length: 41
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0encryption_algorithms_server_to_client =
string:
> aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0mac_algorithms_client_to_server length:=
43
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0mac_algorithms_client_to_server string:=
> hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0mac_algorithms_server_to_client length:=
43
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0mac_algorithms_server_to_client string:=
> hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0compression_algorithms_client_to_server=
length: 4
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0compression_algorithms_client_to_server=
string: none
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0compression_algorithms_server_to_client=
length: 4
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0compression_algorithms_server_to_client=
string: none
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0languages_client_to_server length: 0
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0languages_server_to_client length: 0
> =A0 =A0 =A0 =A0 =A0 =A0 =A0Payload: 0000000000
> =A0 =A0 =A0 =A0 =A0 =A0 =A0Padding String:
Thanks. Restricting to v2 had occurred to me, since I don't think DES
is typically included, but I don't see that formally spelled out
anywhere, and I would prefer more positive control--what would we do
if one of the other protocols is broken in the near future?
Any other options folks can think of?
|