Wednesday, July 31, 2019

Disable 96-bit HMAC Algorithm on Cisco network devices?

Hi, Would like to ask if we can possibly disable 96-bit HMAC Algorithm? Devices is currently in ssh v2 and recently received a vulnerability issue regarding this.

show ip ssh SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc MAC Algorithms:hmac-sha1,hmac-sha1-96 Authentication timeout: 60 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): 

Can I just disable using this command?

(config)# ip ssh server algorithm mac hmac-sha1 (config)# ip ssh version 2 

or an IOS upgrade is needed to have the lastest version and to have a strong cipher suites? Any idea? thanks



No comments:

Post a Comment