Thursday, January 14, 2016

Configure more secure SSH algorithms on Cisco IOS

Security checkers, like Nessus, often report issues like these on Cisco IOS devices:
  • SSH CBC Mode Ciphers Enabled 
  • SSH Insecure HMAC Algorithms Enabled 
There have been a feature request to add the functionality to IOS, that seems to have been resolved in January 2016.

In the versions where it has been resolved, you should be able to:
> enable
# configure terminal
(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
(config)# ip ssh server algorithm mac hmac-sha1

You might want to check with "?" if better options have since become available, especially from the MACs (SHA-1 is not ideal, SHA-2/SHA-3 based algorithms might be added in the future) before using my list as-is...

Source of config syntax: Cisco IOS SSH configuration guide