This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (VSP/Fabric Engine)
- Re: How to disable weak SSH ciphers on VOSS switc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to disable weak SSH ciphers on VOSS switches in XIQ-SE?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-23-2024 04:00 PM
Hello,
I'm trying to disable weak SSH ciphers on couple of switches which are already enrolled in XIQ-SE. Switches are running FW 9.0.0.0.
I've tried to do it by uploading a file with CLI commands to a switch and run it using #source command. ssh was disabled, unwanted/weak ciphers removed but ssh would not start. Other option would be to enable telnet, disable ssh, remove weak ciphers, enable ssh, disable telnet. Unfortunately this is not ideal as telnet would be flagged on security scans.
Ultimate goal is to have weak SSH ciphers disabled during ZTP+. My questions are:
1) Is there a way to disable weak SSH ciphers on switches already enrolled in XIQ-SE and if so, how?
2) Can this be including in ZTP+ and if so, how?
Thank you for any advice.
Bret
File content:
configure terminal
no ssh
no ssh encryption-type 3des-cbc
no ssh authentication-type hmac-sha1
no ssh encryption-type aes256-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type rijndael192-cbc
ssh
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-26-2024 05:48 AM
Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.
To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.
SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2024 05:33 AM
I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2024 05:33 AM
I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-29-2024 08:29 AM
Firewalls between XIQ-SE and switches would not allow telnet. Unfortunately this would require opening telnet traffic on firewalls everything when a new switch is onboarded and Network security team didn't like this option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-24-2024 04:14 PM
For 1) simply create a CLI task script under Tasks -> Scripts with the above simple CLI commands and you can do a mass Execute CLI using that script to launch it against inventoried switches (assuming WebShell Terminal / CLI credentials are working / set).
To include directly in ZTP+ would be a product feature enhancement.
However via XIQ-SE / ZTP+ provisioning you should also be able to configure a script in XIQ-SE to fire after ZTP provisions a device to run the same CLI commands above to turn tweak things post ZTP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-25-2024 11:38 AM
Thanks @Robert_Haynes for the reply and for suggestions for after ZTP+ provisioning.
I have tried to create a script, with above mentioned commands, and execute it. Unfortunately SSH must be turned off first prior disabling weak ciphers. Only SSH is allowed switches and I don't use OOB mgmt. Turning it off causes loss of connectivity to the switch on which the script is executed.
The other idea I tried was upload a file (let say no_ssh.txt) on the switch and run it locally using source command (source no_ssh.txt). It works when executed as script (3 out of 3 attempts). I tried to use it in a workflow (which I could fire later after ZTP+) but result of this was inconsistent. In 8/10 attempts SSH was only disable but not enabled back.
Could you advise how to use the script in actions taken after ZTP provisioning, please? I only see workflows and other scripts under Actions > Custom Configuration > Add > Task. I'm fairly new to XIQ-SE and I'm surely missing a step or two.
Appreciate your help.
