2.1.1.2 Set version 2 for 'ip ssh version'

Information

Specify the version of Secure Shell (SSH) to be run on a router

Rationale:

SSH Version 1 has been subject to a number of serious vulnerabilities and is no longer considered to be a secure protocol, resulting in the adoption of SSH Version 2 as an Internet Standard in 2006.

Cisco routers support both versions, but due to the weakness of SSH Version 1 only the later standard should be used.

Impact:

To reduce the risk of unauthorized access, organizations should implement a security policy to review their current protocols to ensure the most secure protocol versions are in use.

Solution

Configure the router to use SSH version 2

hostname(config)#ip ssh version 2

Default Value:

SSH is not enabled by default. When enabled, SSH operates in compatibility mode (versions 1 and 2 supported).

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, CSCv7|5.1

Plugin: Cisco

Control ID: 5096072468e9f4a91c7c23541f489cabd0dd85a838a632a0d9b1478d2647e0f4