ā02-23-2024 04:00 PM
Hello,
I'm trying to disable weak SSH ciphers on couple of switches which are already enrolled in XIQ-SE. Switches are running FW 9.0.0.0.
I've tried to do it by uploading a file with CLI commands to a switch and run it using #source command. ssh was disabled, unwanted/weak ciphers removed but ssh would not start. Other option would be to enable telnet, disable ssh, remove weak ciphers, enable ssh, disable telnet. Unfortunately this is not ideal as telnet would be flagged on security scans.
Ultimate goal is to have weak SSH ciphers disabled during ZTP+. My questions are:
1) Is there a way to disable weak SSH ciphers on switches already enrolled in XIQ-SE and if so, how?
2) Can this be including in ZTP+ and if so, how?
Thank you for any advice.
Bret
File content:
configure terminal
no ssh
no ssh encryption-type 3des-cbc
no ssh authentication-type hmac-sha1
no ssh encryption-type aes256-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type rijndael192-cbc
ssh
Solved! Go to Solution.
ā02-26-2024 05:48 AM
Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.
To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.
SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?
ā02-27-2024 05:33 AM
I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?
ā05-06-2024 12:08 AM
Ok, I wrote the workflow. It can configure everything related to SSH with SNMP and can be manually run or triggered as a Site Action for initial switch onboarding.
https://github.com/extremenetworks/ExtremeScripting/tree/master/XMC_XIQ-SE/oneview_workflows
Workflow name: "Configure SSH"
ā02-29-2024 12:41 AM
Yes that should work. But it is a rather complicated apprach. An SNMP workflow would be more efficient. Is SNMP an option for you ?
ā02-29-2024 08:26 AM
Yes, SNMPv3 is used on switches so this would be an option. How this can be achieved?
Thanks
ā02-26-2024 05:48 AM
Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.
To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.
SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?