Configure SSH Ciphers

Use the command line to configure the Secure Shell (SSH) ciphers.

1. Enter global configuration mode.
   

   device# configure terminal

2. Set the server cipher for SSH.
   You can use multiple ciphers by separating the string names with commas.
   

   device(config)# ssh server cipher aes192-cbc,aes128-ctr

3. Set the client cipher for SSH.
   You can use multiple ciphers by separating the string names with commas.
   

   device(config)# ssh client cipher aes192-cbc,aes128-ctr

4. Restart the SSH server for the configuration to take effect.
   

   device(config)# do ssh-server restart
   Warning: This operation will disconnect all active SSH sessions.
   
   Are you sure you want to restart the SSH server [y/n]? y
   SSH server is going down for restart NOW !!
   SSH server restarted !!
   

5. Confirm the cipher settings with one of the following commands.
   

   device(config)# do show running-config ssh server cipher
   ssh server cipher aes192-cbc,aes128-ctr
   
   device(config)# do show running-config ssh client cipher
   ssh client cipher aes192-cbc,aes128-ctr
   
   device(config)# do show ssh server status
   SSH Server Rekey Volume: 1024
   SSH Server Auth Tries: 6
   SSH Server Login Timeout: 120
   VRF-Name: mgmt-vrf      Status: Enabled
   VRF-Name: default-vrf   Status: Enabled
   
   device(config)# do show ssh client status 
   SSH Client Cipher: aes192-cbc,aes128-ctr
   

   To see the complete list of supported server or client ciphers, use one of the following commands.

   

   device(config)# ssh server cipher ?
   Possible completions:
     <string>   Ciphers supported :- aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc,
                aes256-cbc, aes128-gcm@openssh.com,
                aes256-gcm@openssh.com,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, arcfour128,
                arcfour256, rijndael-cbc@lysator.liu.se, chacha20-poly1305@openssh.com. Ciphers
                recommended in FIPS mode :- aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc,
                aes192-cbc, aes256-cbc. Configuring anything else is a security risk. Ciphers
                recommended in CC mode :- aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc.
                Configuring anything else is a security risk.
   device(config)# ssh client cipher ?
   Possible completions:
     <string>   Ciphers supported :- aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc,
                aes256-cbc, aes128-gcm@openssh.com,
                aes256-gcm@openssh.com,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, arcfour128,
                arcfour256, rijndael-cbc@lysator.liu.se, chacha20-poly1305@openssh.com. Ciphers
                recommended in FIPS mode :- aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc,
                aes192-cbc, aes256-cbc. Configuring anything else is a security risk. Ciphers
                recommended in CC mode :- aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc.
                Configuring anything else is a security risk.