Disable Ciphers/Message Authentication Code (MACs) in Secure Shell (SSH) (Secure Mode)
Secure Shell (SSH) mode can operate in two modes: default, which supports all ciphers/Message Authentication Code (MACs) and secure mode, which supports only highly secure ciphers/MACs. This feature provides the ability to configure the required ciphers/MACs, and disable the ciphers/MACs that are not required.
Openssh-6.5p1 supports Diffie-Hellman group 1 and Diffie-Hellman group 14 as part of the key exchange algorithms. By default, both Diffie-Hellman group 1 and Diffie-Hellman group14 are supported. You can configure the minimal supported Diffie-Hellman group as 14 to avoid using the weaker Diffie-Hellman group 1 on the SSH server.
Supported Platforms
Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X620, X440-G2 series switches.
New CLI Commands
configure ssh2 enable [cipher [cipher |all] | mac [mac |all]]
configure ssh2 disable [cipher [cipher |all] | mac [mac |all]]
show ssh2
show ssh2 {ciphers | macs}
configure ssh2 dh-group minimum [1 | 14]
Changed CLI Commands
The following show command is changed to show the secure mode status and the minimal supported Diffie-Hellman group (shown in bold):
show ssh2 SSH module configuration details: SSH Access : Disabled Key validity : Invalid TCP port : 22 VR : all Access profile : not set Secure Mode : Off Diffie-Hellman Groups : 1 (1024 bits prime), 14 (2048 bits prime) Idle time : 60 minutes Ciphers : Not configured Macs : hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96