The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so that SSH connections can be limited on the basis of the allowed algorithms list.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
A Secure Shell (SSH) configuration enables a Cisco IOS SSH server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using only those algorithms that are not part of the allowed list, the request is rejected and the session is not established.
1.
enable
2.
configure
terminal
3.
ip ssh {server |
client}
algorithm
encryption {aes128-ctr |
aes192-ctr |
aes256-ctr |
aes128-cbc |
3des-cbc |
aes192-cbc |
aes256-cbc}
4.
end
% SSH command rejected: All encryption algorithms cannot be disabled
1.
enable
2.
configure
terminal
3.
ip ssh {server |
client}
algorithm
mac
{hmac-sha1 |
hmac-sha1-96}
4.
end
Command or Action | Purpose | |||||||
---|---|---|---|---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||||||
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||||||
Step 3 |
ip ssh {server |
client}
algorithm
mac
{hmac-sha1 |
hmac-sha1-96}
Example: Device(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha1-96 Device(config)# ip ssh client algorithm mac hmac-sha1 hmac-sha1-96 |
Defines the order of MAC (Message Authentication Code) algorithms in the SSH server and client. This order is presented during algorithm negotiation.
| ||||||
Step 4 |
end
Example: Device(config)# end |
Exits global configuration mode and returns to privileged EXEC mode. |
% SSH command rejected: All mac algorithms cannot be disabled
1.
enable
2.
configure
terminal
3.
ip ssh
server
algorithm
hostkey {x509v3-ssh-rsa |
ssh-rsa}
4.
end
Command or Action | Purpose | |||||||
---|---|---|---|---|---|---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. | ||||||
Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. | ||||||
Step 3 |
ip ssh
server
algorithm
hostkey {x509v3-ssh-rsa |
ssh-rsa}
Example: Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa |
Defines the order of host key algorithms. Only the configured algorithm is negotiated with the Cisco IOS secure shell (SSH) client.
| ||||||
Step 4 |
end
Example: Device(config)# end |
Exits global configuration mode and returns to privileged EXEC mode. |
% SSH command rejected: All hostkey algorithms cannot be disabled
1.
enable
2.
show ip ssh
Step 1 |
enable
Enables privileged EXEC mode. Example: Device> enable |
Step 2 |
show ip ssh
Displays configured Secure Shell (SSH) encryption, host key, and Message Authentication Code (MAC) algorithms. Example: Device# show ip ssh Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc Device# show ip ssh MAC Algorithms: hmac-sha1 hmac-sha1-96 Device# show ip ssh Hostkey Algorithms: x509v3-ssh-rsa, ssh-rsa |
Device> enable Device# configure terminal Device(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc Device(config)# end
Device> enable Device# configure terminal Device(config)# ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc Device(config)# end
Device> enable Device# configure terminal Device(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha1-96 Device(config)# end
Device> enable Device# configure terminal Device(config)# ip ssh client algorithm mac hmac-sha1 hmac-sha1-96 Device(config)# end
Device> enable Device# configure terminal Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa Device(config)# end
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
SSH authentication |
“Secure Shell-Configuring User Authentication Methods” chapter in the Secure Shell Configuration Guide |
X.509v3 digital certificates in server and user authentication |
“X.509v3 Certificates for SSH Authentication” chapter in the Secure Shell Configuration Guide |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
SSH Algorithms for Common Criteria Certification |
Cisco IOS XE Release 3.15S |
The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so that SSH connections can be limited on the basis of the allowed algorithms list. The following commands were introduced by this feature: ip ssh {server | client} algorithm encryption, ip ssh {server | client} algorithm mac. |