Upgrade and Migration of Open SSH to Cisco SSH

Feature Summary and Revision History

Summary Data

Applicable Product(s) or Functional Area

All

Applicable Platform(s)

  • ASR 5500

  • VPC-DI

  • VPC-SI

Feature Default

Enabled - Always-on

Related Changes in This Release

Not applicable

Related Documentation

  • ASR 5500 System Administration Guide

  • Command Line Interface Reference

  • VPC-DI System Administration Guide

  • VPC-SI System Administration Guide

Revision History


Important

Revision history details are not provided for features introduced before releases 21.2 and N5.1.


Revision Details

Release

With this release, the algorithm values of Ciphers and MACs are modified based on the upgrade and migration of OpenSSH to CiscoSSH.

21.16

First introduced.

Pre 21.2

Feature Changes

As a security measure for Cisco ASR 5500 and VPC products, the Ciphers and MACs algorithm values are modified to support the upgrade and migration of the Open SSH to Cisco SSH versions.

Previous Behavior: In releases earlier to 21.16, the default algorithm values of the cipher and macs commands were as follows:

  • Cipher

    Release 20.x to 21.15 (Normal build only)

    Resets the value of algorithm in a Normal build to:
    blowfish-cbc,3des-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com 
  • MACs

    Release 20.x to 21.15 (Trusted build only)

    Resets the value of algorithm in a Trusted build to:

    hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,
    hmac-sha2-256,hmac-sha1 
  • KEX Algorithms

    Release 20.x to 21.15

    Available Algorithms in Normal and Trusted Builds:

    diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 

New Behavior: In this release, the default algorithm values of the cipher and macs commands are as follows:

  • Cipher

    Release 21.16 onwards: Post OpenSSH to CiscoSSH Upgrade and Migration

    Default Algorithms in a Normal Build:

    aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com 

    Available Algorithms in a Normal Build:

     aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc 

    Default and Available Algorithms in Trusted Builds:

    aes256-ctr,aes192-ctr,aes128-ctr 

    Note

    There is no change in the default and configurable Ciphers for Trusted builds.
  • MACs

    Release 21.16 onwards: Post OpenSSH to CiscoSSH Upgrade and Migration

    Default and Available Algorithms in Normal Builds:

    hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,
    hmac-sha2-256,hmac-sha1 

    Default Algorithms in Trusted Builds:

     hmac-sha2-512,hmac-sha2-256,hmac-sha1 

    Available Algorithms in Trusted Builds:

    hmac-sha2-512,hmac-sha2-256,hmac-sha1 

    Note

    hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com are removed from the Trusted builds.
  • KEX Algorithms

    Release 21.16 onwards: Post OpenSSH to CiscoSSH Upgrade and Migration

    Available Algorithms in Normal and Trusted Builds:

    diffie-hellman-group14-sha1 

    Note

    KEX algorithms are not configurable in StarOS. Therefore, there are no CLI changes.