Prev: CiscoWorks LMS 3.0 Installation
Next: Customizing password change notification in VPN Client?
From: Heath Roberts on 17 Apr 2008 15:17
For example, let's say I want to allow 3DES but not DES. Can I do
that? I don't see any options in the IOS Security Configuration Guide
or Reference, or in the O'Reilly IOS Cookbook...

Thanks in advance,
Heath
From: News Reader on 17 Apr 2008 15:32
Heath Roberts wrote:
> For example, let's say I want to allow 3DES but not DES. Can I do
> that? I don't see any options in the IOS Security Configuration Guide
> or Reference, or in the O'Reilly IOS Cookbook...
>
> Thanks in advance,
> Heath

You have control over the version of SSH used on the Cisco device. e.g.:
ip ssh version 2

I just did a capture and found the following on the Server Key Exchange
which suggests that the SSHv2 on my device, doesn't support single DES:

Take a look and see if you agree:

SSH Protocol
SSH Version 2
Packet Length: 276
Padding Length: 4
Key Exchange
Msg code: Key Exchange Init (20)
Algorithms
Cookie: A19351FD6DAA335B5A7EED46E647C9FB
kex_algorithms length: 26
kex_algorithms string: diffie-hellman-group1-sha1
server_host_key_algorithms length: 7
server_host_key_algorithms string: ssh-rsa
encryption_algorithms_client_to_server length: 41
encryption_algorithms_client_to_server string:
aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
encryption_algorithms_server_to_client length: 41
encryption_algorithms_server_to_client string:
aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
mac_algorithms_client_to_server length: 43
mac_algorithms_client_to_server string:
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
mac_algorithms_server_to_client length: 43
mac_algorithms_server_to_client string:
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
compression_algorithms_client_to_server length: 4
compression_algorithms_client_to_server string: none
compression_algorithms_server_to_client length: 4
compression_algorithms_server_to_client string: none
languages_client_to_server length: 0
languages_server_to_client length: 0
Payload: 0000000000
Padding String:

Best Regards,
News Reader
From: Heath Roberts on 17 Apr 2008 16:11
On Apr 17, 3:32 pm, News Reader <u...(a)domain.null> wrote:
> Heath Roberts wrote:
> > For example, let's say I want to allow 3DES but not DES. Can I do
> > that? I don't see any options in the IOS Security Configuration Guide
> > or Reference, or in the O'Reilly IOS Cookbook...
>
> > Thanks in advance,
> > Heath
>
> You have control over the version of SSH used on the Cisco device. e.g.:
> ip ssh version 2
>
> I just did a capture and found the following on the Server Key Exchange
> which suggests that the SSHv2 on my device, doesn't support single DES:
>
> Take a look and see if you agree:
>
> SSH Protocol
>      SSH Version 2
>          Packet Length: 276
>          Padding Length: 4
>          Key Exchange
>              Msg code: Key Exchange Init (20)
>              Algorithms
>                  Cookie: A19351FD6DAA335B5A7EED46E647C9FB
>                  kex_algorithms length: 26
>                  kex_algorithms string: diffie-hellman-group1-sha1
>                  server_host_key_algorithms length: 7
>                  server_host_key_algorithms string: ssh-rsa
>                  encryption_algorithms_client_to_server length: 41
>                  encryption_algorithms_client_to_server string:
> aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
>                  encryption_algorithms_server_to_client length: 41
>                  encryption_algorithms_server_to_client string:
> aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
>                  mac_algorithms_client_to_server length: 43
>                  mac_algorithms_client_to_server string:
> hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
>                  mac_algorithms_server_to_client length: 43
>                  mac_algorithms_server_to_client string:
> hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
>                  compression_algorithms_client_to_server length: 4
>                  compression_algorithms_client_to_server string: none
>                  compression_algorithms_server_to_client length: 4
>                  compression_algorithms_server_to_client string: none
>                  languages_client_to_server length: 0
>                  languages_server_to_client length: 0
>              Payload: 0000000000
>              Padding String:

Thanks. Restricting to v2 had occurred to me, since I don't think DES
is typically included, but I don't see that formally spelled out
anywhere, and I would prefer more positive control--what would we do
if one of the other protocols is broken in the near future?

Any other options folks can think of?
 | 
Pages: 1
Prev: CiscoWorks LMS 3.0 Installation
Next: Customizing password change notification in VPN Client?