Cisco ISR 4000 Family Routers Administrator Guidance
Page
18
of
66
In addition, configure your ssh client for dh-group-14. In Putty, configure the SSH client
to support only diffie-hellman-group14-sha1 key exchange. To configure Putty, do the
following:
Go into Putty Configuration Select > Connection > SSH > Kex;
Under Algorithm selection policy: move Diffie-Hellman group 14 to the top of the
list;
Move the “warn below here” option to right below DH group14
6.
Configure vty lines to accept ‘ssh’ login services
TOE-common-criteria(config-line)#
transport input ssh
7.
Configure a SSH client to support only the following specific encryption algorithms:
AES-CBC-128
AES-CBC-256
peer#
ssh -l cisco -c aes128-cbc 1.1.1.1
peer#
ssh -l cisco -c aes256-cbc 1.1.1.1
8.
Configure a SSH client to support message authentication. Only the following MACs are
allowed and “None” for MAC is not allowed:
a.
hmac-sha1
b.
hmac-sha1-96
peer#
ssh -l cisco -m hmac-sha1-160 1.1.1.1
peer#
ssh -l cisco -m hmac-sha1-96 1.1.1.1
9.
To verify the proper encryption algorithms are used for established connections, use the
show ssh sessions
command:
TOE-common-criteria#
show ssh sessions
Note:
To disconnect SSH sessions, use the
ssh disconnect
command:
TOE-common-criteria#
ssh disconnect
10.
Configure the SSH rekey time-based rekey and volume-based rekey values (values can be
configured to be lower than the default values if a shorter interval is desired):
a.
ip ssh rekey time 60
b.
ip ssh rekey volume 1000000
11.
HTTP and HTTPS servers were not evaluated and must be disabled:
TOE-common-criteria(config)#
no ip http server
TOE-common-criteria(config)#
no ip http secure-server
12.
SNMP server was not evaluated and must be disabled:
TOE-common-criteria(config)#
no snmp-server
