Security checkers, like Nessus, often report issues like these on Cisco IOS devices:
- SSH CBC Mode Ciphers Enabled
- SSH Insecure HMAC Algorithms Enabled
In the versions where it has been resolved, you should be able to:
> enable
# configure terminal
(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
(config)# ip ssh server algorithm mac hmac-sha1
You might want to check with "?" if better options have since become available, especially from the MACs (SHA-1 is not ideal, SHA-2/SHA-3 based algorithms might be added in the future) before using my list as-is...
Source of config syntax: Cisco IOS SSH configuration guide
> enable
# configure terminal
(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
(config)# ip ssh server algorithm mac hmac-sha1
You might want to check with "?" if better options have since become available, especially from the MACs (SHA-1 is not ideal, SHA-2/SHA-3 based algorithms might be added in the future) before using my list as-is...
Source of config syntax: Cisco IOS SSH configuration guide
