1.7.3 Set SSH Key Modulus Length

Information

SSH sessions are encrypted using a key unique to the host (in this case the NX-OS switch). It is recommended that this key be 2048 bytes long or longer.

While attacking encryption algorithms is not practical for commodity malware, it definitely is possible. As remediation is so easily done it is definitely recommended.

Solution

Again, this must be implemented using an out-of-band (ie - not ssh) method.

switch(config)# no feature ssh
switch(config)# ssh key rsa 2048 force
switch(config)# feature ssh

Impact:

Implementing this feature requires the deletion of the existing (default) ssh keys, which are 1024 bytes in length.This means that this change must be implemented using some other access method, such as using the console port or a temporary telnet session (be sure to disable telnet after remediation if this method is used)

See Also

https://workbench.cisecurity.org/benchmarks/16139

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|18.5

Plugin: Cisco

Control ID: 4e6b9edbf583c7a7866b6539ddef96888f7331b6a642e10f3e6ced3b98d1f661