The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The AES-CTR Support for SSHv2 feature provides increased security through support for the Advanced Encryption Standard counter (AES-CTR) encryption mode during an encrypted Secure Shell version 2 (SSHv2) session between the server and the client.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About AES-CTR Support for SSHv2
The Cisco Secure Shell (SSH) implementation enables a secure, encrypted connection between a server and client. The SSH servers and clients use the SSH protocol to provide device authentication and encryption.
To start an encrypted session between the SSH client and server, the preferred mode of encryption needs to be decided. For increased security, the preferred crypto algorithm for the SSH session is the Advanced Encryption Standard counter mode (AES-CTR).
SSH version 2 (SSHv2) supports AES-CTR encryption for 128-, 192-, and 256-bit key length. From the supported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The greater the length of the key, the stronger the encryption.
If the SSH session uses a remote device that does not support the AES-CTR encryption mode, then the encryption mode for the session falls back to AES-CBC mode.
How to Configure AES-CTR Support for SSHv2
Perform this task to start an encrypted Secure Shell (SSH) session from the SSH client using the Advanced Encryption Standard counter mode (AES-CTR) encryption mode.
Note | The device with which you want to connect must support an SSH server that has the AES-CTR encryption algorithm that is supported in Cisco software. SSH can be run even when the device is disabled. |
1.
enable
2.
ssh [-v {1 |
2} |
-c {aes128-ctr |
aes192-ctr |
aes256-ctr |
aes128-cbc |
3des |
aes192-cbc |
aes256-cbc} |
-l
user-id |
-l
user-id:vrf-name number ip-address
ip-address |
-l
user-id:rotary number
ip-address |
-m {hmac-md5-128 |
hmac-md5-96 |
hmac-sha1-160
|
hmac-sha1-96} |
-o
numberofpasswordprompts
n |
-p
port-num]
{ip-addr |
hostname}
[command |
-vrf]
3.
exit
1.
enable
2.
show ssh
3.
debug ip ssh detail
Configuration Examples for AES-CTR Support for SSHv2
The following example shows how to start an encrypted Secure Shell (SSH) session from the SSH client using the Advanced Encryption Standard counter mode (AES-CTR) encryption mode:
Device> enable Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -l user2 10.76.82.24 Device# exit
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
SSH configuration |
Secure Shell Configuration Guide |
Standard/RFC |
Title |
---|---|
RFC 4344 |
The Secure Shell (SSH) Transport Layer Encryption Modes |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
AES-CTR Support for SSHv2 |
15.4(2)T 15.2(1)SY |
The AES-CTR Support for SSHv2 feature provides increased security through support for the Advanced Encryption Standard counter (AES-CTR) encryption mode during an encrypted Secure Shell version 2 (SSHv2) session between the server and the client. |