This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (VSP/Fabric Engine)
- Re: How to disable weak SSH ciphers on VOSS switc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to disable weak SSH ciphers on VOSS switches in XIQ-SE?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-23-2024 04:00 PM
Hello,
I'm trying to disable weak SSH ciphers on couple of switches which are already enrolled in XIQ-SE. Switches are running FW 9.0.0.0.
I've tried to do it by uploading a file with CLI commands to a switch and run it using #source command. ssh was disabled, unwanted/weak ciphers removed but ssh would not start. Other option would be to enable telnet, disable ssh, remove weak ciphers, enable ssh, disable telnet. Unfortunately this is not ideal as telnet would be flagged on security scans.
Ultimate goal is to have weak SSH ciphers disabled during ZTP+. My questions are:
1) Is there a way to disable weak SSH ciphers on switches already enrolled in XIQ-SE and if so, how?
2) Can this be including in ZTP+ and if so, how?
Thank you for any advice.
Bret
File content:
configure terminal
no ssh
no ssh encryption-type 3des-cbc
no ssh authentication-type hmac-sha1
no ssh encryption-type aes256-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type rijndael192-cbc
ssh
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-26-2024 05:48 AM
Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.
To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.
SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2024 05:33 AM
I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-29-2024 12:41 AM
Yes that should work. But it is a rather complicated apprach. An SNMP workflow would be more efficient. Is SNMP an option for you ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-29-2024 08:26 AM
Yes, SNMPv3 is used on switches so this would be an option. How this can be achieved?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-26-2024 05:48 AM
Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.
To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.
SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2024 05:33 AM
I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?
