Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide

Contributed by Chris Haag  and Robert Sherwin, Cisco TAC Engineers.

Nov 10, 2014

This document describes how to review and configure SSH authentication versions on the Cisco Email
Security Appliance (ESA).

The ESA can be configured to allow Secure Shell (SSH) connections.  SSH connections encrypt traffic
between the connecting host and the ESA. This protects authentication information like username and
passwords. There are two major versions of the SSH protocol: version 1 (SSH v1) and version 2 (SSH v2).
SSH v2, being more recent, is more secure than SSH v1, and thus many ESA administrators prefer to only
allow connections from clients using SSH v2.

On versions of AsyncOS through 7.6.3, disabling SSH v1 connections can be done from the CLI with
sshconfig:

mail3.example.com> sshconfig

Currently installed keys for admin:

Choose the operation you want to perform:

− NEW − Add a new key.

− USER − Switch to a different user to edit.

− SETUP − Configure general settings.

[]> setup

SSH v1 is currently ENABLED.

Choose the operation you want to perform:

− DISABLE − Disable SSH v1

[]> DISABLE

On versions of AsyncOS 8.x and newer, the option of disabling SSH v1 does not exist with sshconfig.  If SSH
v1 was enabled prior to the upgrade of 8.x, SSH v1 will remain enabled and accessible on the ESA, even after
the upgrade is complete even though all support for SSH v1 has been removed. This may be an issue for
administrators who perform regular security audits and penetration testing.

As all support for SSH v1 has been removed, a support request must be opened to have SSHv1 disabled.