topic Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE? in ExtremeSwitching (VSP/Fabric Engine)

How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

BretSedlak — Sat, 24 Feb 2024 00:00:43 GMT

Hello,

I'm trying to disable weak SSH ciphers on couple of switches which are already enrolled in XIQ-SE. Switches are running FW 9.0.0.0.

I've tried to do it by uploading a file with CLI commands to a switch and run it using #source command. ssh was disabled, unwanted/weak ciphers removed but ssh would not start. Other option would be to enable telnet, disable ssh, remove weak ciphers, enable ssh, disable telnet. Unfortunately this is not ideal as telnet would be flagged on security scans.

Ultimate goal is to have weak SSH ciphers disabled during ZTP+. My questions are:

1) Is there a way to disable weak SSH ciphers on switches already enrolled in XIQ-SE and if so, how?

2) Can this be including in ZTP+ and if so, how?

Thank you for any advice.

Bret

File content:

configure terminal
no ssh
no ssh encryption-type 3des-cbc
no ssh authentication-type hmac-sha1
no ssh encryption-type aes256-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type rijndael192-cbc
ssh

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

Robert_Haynes — Sun, 25 Feb 2024 00:14:13 GMT

For 1) simply create a CLI task script under Tasks -> Scripts with the above simple CLI commands and you can do a mass Execute CLI using that script to launch it against inventoried switches (assuming WebShell Terminal / CLI credentials are working / set).

To include directly in ZTP+ would be a product feature enhancement.

However via XIQ-SE / ZTP+ provisioning you should also be able to configure a script in XIQ-SE to fire after ZTP provisions a device to run the same CLI commands above to turn tweak things post ZTP.

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

BretSedlak — Sun, 25 Feb 2024 19:38:45 GMT

Thanks @Robert_Haynes for the reply and for suggestions for after ZTP+ provisioning.

I have tried to create a script, with above mentioned commands, and execute it. Unfortunately SSH must be turned off first prior disabling weak ciphers. Only SSH is allowed switches and I don't use OOB mgmt. Turning it off causes loss of connectivity to the switch on which the script is executed.

The other idea I tried was upload a file (let say no_ssh.txt) on the switch and run it locally using source command (source no_ssh.txt). It works when executed as script (3 out of 3 attempts). I tried to use it in a workflow (which I could fire later after ZTP+) but result of this was inconsistent. In 8/10 attempts SSH was only disable but not enabled back.

Could you advise how to use the script in actions taken after ZTP provisioning, please? I only see workflows and other scripts under Actions > Custom Configuration > Add > Task. I'm fairly new to XIQ-SE and I'm surely missing a step or two.

Appreciate your help.

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

Ludovico_Steven — Mon, 26 Feb 2024 13:48:32 GMT

Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.

To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.

SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

Robert_Haynes — Tue, 27 Feb 2024 13:33:55 GMT

I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

Ludovico_Steven — Thu, 29 Feb 2024 08:41:08 GMT

Yes that should work. But it is a rather complicated apprach. An SNMP workflow would be more efficient. Is SNMP an option for you ?

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

BretSedlak — Thu, 29 Feb 2024 16:26:08 GMT

Yes, SNMPv3 is used on switches so this would be an option. How this can be achieved?

Thanks

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

BretSedlak — Thu, 29 Feb 2024 16:29:55 GMT

Firewalls between XIQ-SE and switches would not allow telnet. Unfortunately this would require opening telnet traffic on firewalls everything when a new switch is onboarded and Network security team didn't like this option.

Re: How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

Ludovico_Steven — Mon, 06 May 2024 07:08:51 GMT

Ok, I wrote the workflow. It can configure everything related to SSH with SNMP and can be manually run or triggered as a Site Action for initial switch onboarding.

https://github.com/extremenetworks/ExtremeScripting/tree/master/XMC_XIQ-SE/oneview_workflows

Workflow name: "Configure SSH"