Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
2
Replies

Algorithm Encryption SSHv2

Servicio Tac
Level 1
Level 1

‎05-30-2022 01:44 PM

Dear,

 

I would like to know, based on the provider's good security practices, what it is recommended to establish as a security algorithm.

 

Leave the CBC or CTR

 

IP ssh server algorithm encryption aes128-cbc 3des-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎05-31-2022 12:05 AM

@Servicio Tac use CTR as you preferred SSH crypto algorithm, possibly with CBC as failback - though most SSH clients would support CTR.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-sy/sec-usr-ssh-15-sy-book/sec-aes-ctr-ssh-v2.pdf

 

You should definately removed 3DES.

 

0 Helpful

CatsAndIT
Level 1
Level 1

‎07-15-2022 07:07 AM

Hello!

Like Mr. Ingram said, absolute remove 3des. However, I would remove CBC algorithms; They're typically problematic during security audits, as the Initialization Vector (IV) is not randomized as it should be.

I would reissue the command like this:

ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

WHY: You always want to put your strongest algorithms first, as typical systems will attempt to use the first ones presented first. If you wanted to go a bit more secure but risk "compatibility" (as system not supporting one of the algorithms), you could also trim off aes128-ctr (though this is not recommended as AES128 is still considered a "safe" algorithm).

0 Helpful
Customers Also Viewed These Support Documents