Cisco Bug: CSCvv70862 - SMA version 13.6.2-023 cannot limit ciphers negotiated on sshconfig sshd
Sep 15, 2020
- Cisco Content Security Management Appliance
Known Affected Releases
Symptom: While trying to remove some ciphers from being offered on SMA version 13.6.2-023 the changes are not effective. You can issue the command from cli: ironport.local> sshconfig Choose the operation you want to perform: - SSHD - Edit SSH server settings. - USERKEY - Edit SSH User Key settings >SSHD ssh server config settings: Incomplete SSH session timeout (in secs): 60 Minimum Server Key Size: 1024 Public Key Authentication Algorithms: rsa1 ssh-rsa KEX Algorithms: diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 Cipher Algorithms: aes128-ctr aes192-ctr aes256-ctr Unsuccessful SSH login attempts allowed: 3 MAC Methods: hmac-sha1 email@example.com hmac-ripemd160 firstname.lastname@example.org Choose the operation you want to perform: - SETUP - Setup SSH server configuration settings > Choose the operation you want to perform: - SSHD - Edit SSH server settings. - USERKEY - Edit SSH User Key settings > Even do only ctr ciphers are present you can still connect to the appliance using a cbc cipher: 86Q:~$ ssh -c aes256-cbc email@example.com Password: AsyncOS 13.6 for Cisco M100V build 023 Welcome to the Cisco M100V Content Security Virtual Management Appliance Conditions: Install an SMA version 13.6.2-023. Limit the ciphers offered under sshconfig>sshd using the cli to only ctr or only cbc. Try to connect to the appliance using a cipher that should not be offered or use nmpa to scan.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases