cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

How to disable weak SSH ciphers on VOSS switches in XIQ-SE?

BretSedlak
New Contributor

Hello,

I'm trying to disable weak SSH ciphers on couple of switches which are already enrolled in XIQ-SE. Switches are running FW 9.0.0.0.

I've tried to do it by uploading a file with CLI commands to a switch and run it using #source command. ssh was disabled, unwanted/weak ciphers removed but ssh would not start. Other option would be to enable telnet, disable ssh, remove weak ciphers, enable ssh, disable telnet. Unfortunately this is not ideal as telnet would be flagged on security scans.

Ultimate goal is to have weak SSH ciphers disabled during ZTP+. My questions are:

1) Is there a way to disable weak SSH ciphers on switches already enrolled in XIQ-SE and if so, how?

2) Can this be including in ZTP+ and if so, how?

Thank you for any advice.

Bret

File content:

configure terminal
no ssh
no ssh encryption-type 3des-cbc
no ssh authentication-type hmac-sha1
no ssh encryption-type aes256-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type rijndael192-cbc
ssh

2 ACCEPTED SOLUTIONS

Ludovico_Steven
Extreme Employee

Disabling SSH is problematic; if this is done from an SSH session, it will instantly kill the SSH session as well as any script initiated from that session, so these won't be able to complete and re-enable SSH.

To do this via CLI (but not serial port) one would need to use Telnet.... but that has complication in XIQ-SE because the device's admin CLI profile can only be set for Telnet or SSH, not both.

SNMP might be the easiest option, but is a bit more involved in writing the script. Do you use SNMP on these switches ?

View solution in original post

I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?

View solution in original post

8 REPLIES 8

I was mulling telnet over myself... what about a two shot approach then. ZTP to enable telnet and SSH. The default ZTP profile will use a telnet-based profile. You then run a Custom Configuration python script that would issue the CLI commands to configure SSH as deried and then via NBI calls in same python switch the device to a different administration profile (one w/ SSH) [if of course that is doable]?

Firewalls between XIQ-SE and switches would not allow telnet. Unfortunately this would require opening telnet traffic on firewalls everything when a new switch is onboarded and Network security team didn't like this option.

Robert_Haynes
Extreme Employee

For 1) simply create a CLI task script under Tasks -> Scripts with the above simple CLI commands and you can do a mass Execute CLI using that script to launch it against inventoried switches (assuming WebShell Terminal / CLI credentials are working / set).

To include directly in ZTP+ would be a product feature enhancement.

However via XIQ-SE / ZTP+ provisioning you should also be able to configure a script in XIQ-SE to fire after ZTP provisions a device to run the same CLI commands above to turn tweak things post ZTP.

Thanks @Robert_Haynes for the reply and for suggestions for after ZTP+ provisioning.

I have tried to create a script, with above mentioned commands, and execute it. Unfortunately SSH must be turned off first prior disabling weak ciphers. Only SSH is allowed switches and I don't use OOB mgmt. Turning it off causes loss of connectivity to the switch on which the script is executed.

The other idea I tried was upload a file (let say no_ssh.txt) on the switch and run it locally using source command (source no_ssh.txt). It works when executed as script (3 out of  3 attempts). I tried to use it in a workflow (which I could fire later after ZTP+) but result of this was inconsistent. In 8/10 attempts SSH was only disable but not enabled back.

Could you advise how to use the script in actions taken after ZTP provisioning, please? I only see workflows and other scripts under Actions > Custom Configuration > Add > Task. I'm fairly new to XIQ-SE and I'm surely missing a step or two.

Appreciate your help.

GTM-P2G8KFN