SSH Algorithms for Common Criteria Certification

The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so that SSH connections can be limited on the basis of the allowed algorithms list.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About SSH Algorithms for Common Criteria Certification

SSH Algorithms for Common Criteria Certification

A Secure Shell (SSH) configuration enables a Cisco IOS SSH server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using only those algorithms that are not part of the allowed list, the request is rejected and the session is not established.

Cisco IOS SSH Server Algorithms

Cisco IOS secure shell (SSH) servers support the encryption algorithms (Advanced Encryption Standard Counter Mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:
  1. aes128-ctr

  2. aes192-ctr

  3. aes256-ctr

  4. aes128-cbc

  5. 3des-cbc

  6. aes192-cbc

  7. aes256-cbc

Cisco IOS SSH servers support the Message Authentication Code (MAC) algorithms in the following order:
  1. hmac-sha1

  2. hmac-sha1-96

Cisco IOS SSH servers support the host key algorithms in the following order:
  1. x509v3-ssh-rsa

  2. ssh-rsa

Cisco IOS SSH Client Algorithms

Cisco IOS secure shell (SSH) clients support the encryption algorithms (Advanced Encryption Standard counter mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:
  1. aes128-ctr

  2. aes192-ctr

  3. aes256-ctr

  4. aes128-cbc

  5. 3des-cbc

  6. aes192-cbc

  7. aes256-cbc

Cisco IOS SSH clients support the Message Authentication Code (MAC) algorithms in the following order:
  1. hmac-sha1

  2. hmac-sha1-96

Cisco IOS SSH clients support only one host key algorithm and do not need a CLI configuration:
  • ssh-rsa

How to Configure SSH Algorithms for Common Criteria Certification

Configuring an Encryption Key Algorithm for a Cisco IOS SSH Server and Client

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip ssh {server | client } algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc }
  4. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ip ssh {server | client } algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc }

Example:


Device(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc

Device(config)# ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc

Defines the order of encryption algorithms in the SSH server and client. This order is presented during algorithm negotiation.

Note 

The Cisco IOS SSH server and client must have at least one configured encryption algorithm.

Note 

To disable one algorithm from the previously configured algorithm list, use the no form of this command. To disable more than one algorithm, use the no form of this command multiple times with different algorithm names.

Note 
For a default configuration, use the default form of this command as shown below:


Device(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
Step 4

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Troubleshooting Tips

If you try to disable the last encryption algorithm in the configuration, the following message is displayed and the command is rejected:


% SSH command rejected: All encryption algorithms cannot be disabled

Configuring a MAC Algorithm for a Cisco IOS SSH Server and Client

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip ssh {server | client } algorithm mac {hmac-sha1 | hmac-sha1-96 }
  4. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ip ssh {server | client } algorithm mac {hmac-sha1 | hmac-sha1-96 }

Example:


Device(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha1-96

Device(config)# ip ssh client algorithm mac hmac-sha1 hmac-sha1-96

Defines the order of MAC (Message Authentication Code) algorithms in the SSH server and client. This order is presented during algorithm negotiation.

Note 

The Cisco IOS SSH server and client must have at least one configured Hashed Message Authentication Code (HMAC) algorithm.

Note 

To disable one algorithm from the previously configured algorithm list, use the no form of this command. To disable more than one algorithm, use the no form of this command multiple times with different algorithm names.

Note 
For default configuration, use the default form of this command as shown below:


Device(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
Step 4

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Troubleshooting Tips

If you try to disable the last MAC algorithm in the configuration, the following message is displayed and the command is rejected:


% SSH command rejected: All mac algorithms cannot be disabled

Configuring a Host Key Algorithm for a Cisco IOS SSH Server

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa }
  4. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa }

Example:


Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa

Defines the order of host key algorithms. Only the configured algorithm is negotiated with the Cisco IOS secure shell (SSH) client.

Note 
The Cisco IOS SSH server must have at least one configured host key algorithm:
  • x509v3-ssh-rsa—X.509v3 certificate-based authentication

  • ssh-rsa—Public-key-based authentication

Note 

To disable one algorithm from the previously configured algorithm list, use the no form of this command. To disable more than one algorithm, use the no form of this command multiple times with different algorithm names.

Note 
For default configuration, use the default form of this command as shown below:


Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
Step 4

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Troubleshooting Tips

If you try to disable the last host key algorithm in the configuration, the following message is displayed and the command is rejected:


% SSH command rejected: All hostkey algorithms cannot be disabled

Verifying SSH Algorithms for Common Criteria Certification

SUMMARY STEPS

  1. enable
  2. show ip ssh

DETAILED STEPS


Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Example:


Device> enable

Step 2

show ip ssh

Displays configured Secure Shell (SSH) encryption, host key, and Message Authentication Code (MAC) algorithms.

Example:

The following sample output from the show ip ssh command shows the encryption algorithms configured in the default order:

Device# show ip ssh

Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

The following sample output from the show ip ssh command shows the MAC algorithms configured in the default order:

Device# show ip ssh

MAC Algorithms: hmac-sha1 hmac-sha1-96

The following sample output from the show ip ssh command shows the host key algorithms configured in the default order:

Device# show ip ssh

Hostkey Algorithms: x509v3-ssh-rsa, ssh-rsa


Configuration Examples For SSH Algorithms for Common Criteria Certification

Example: Configuring Encryption Key Algorithms for a Cisco IOS SSH Server


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
Device(config)# end 

Example: Configuring Encryption Key Algorithms for a Cisco IOS SSH Client


Device> enable
Device# configure terminal
Device(config)# ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
Device(config)# end 

Example: Configuring MAC Algorithms for a Cisco IOS SSH Server


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
Device(config)# end 

Example: Configuring Key Exchange DH Group for a Cisco IOS SSH Server


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm kex diffie-hellman-group-exchange-sha1
Device(config)# end 


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm kex diffie-hellman-group14-sha1
Device(config)# end 

Example: Configuring Host Key Algorithms for a Cisco IOS SSH Server


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
Device(config)# end 

Additional References for SSH Algorithms for Common Criteria Certification

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Security commands

SSH authentication

“Secure Shell-Configuring User Authentication Methods” chapter in the Secure Shell Configuration Guide

X.509v3 digital certificates in server and user authentication

“X.509v3 Certificates for SSH Authentication” chapter in the Secure Shell Configuration Guide

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for SSH Algorithms for Common Criteria Certification

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for SSH Algorithms for Common Criteria Certification

Feature Name

Releases

Feature Information

SSH Algorithms for Common Criteria Certification

The SSH Algorithms for Common Criteria Certification feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and host key algorithms for a secure shell (SSH) server and client so that SSH connections can be limited on the basis of the allowed algorithms list.

The following commands were introduced by this feature: ip ssh {server | client } algorithm encryption , ip ssh {server | client } algorithm mac .