Cisco Cisco Packet Data Gateway (PDG)
Conceal/Remove ssh server Configuration Options
CSCur33698 - ANSSI REQ E2: Allow SSH config and remove weak SSH crypto algorithms
Applicable Products: All
Feature Changes
Previous Behavior: The SSH v1-RSA key was supported and available to configure within the Context
Configuration mode.
Configuration mode.
New Behavior: Version 1 of the SSH protocol is now obsolete due to security vulnerabilities. The v1-rsa
keyword is no longer supported. Running a script or configuration that uses the SSH v1-rsa key returns an
error message and generates an event log. The output of the error message is shown below:
keyword is no longer supported. Running a script or configuration that uses the SSH v1-rsa key returns an
error message and generates an event log. The output of the error message is shown below:
Failure: SSH V1 contains multiple structural vulnerabilities and is no longer considered
secure. Therefore we don't support v1-rsa SSH key any longer, please generate a new v2-rsa
secure. Therefore we don't support v1-rsa SSH key any longer, please generate a new v2-rsa
key to replace this old one.
If the system boots from a configuration that contains the v1-rsa key, you can expect a boot failure when
logging in through SSH. The workaround is to log in via the Console port, re-generate a new ssh v2-rsa key,
and configure server sshd. It will then be possible to log in via ssh.
logging in through SSH. The workaround is to log in via the Console port, re-generate a new ssh v2-rsa key,
and configure server sshd. It will then be possible to log in via ssh.
The v1-rsa keyword has been removed from the Exec mode show ssh key CLI command.
Command Changes
A keyword that was supported in a previous release may be concealed in subsequent releases. StarOS
continues to parse concealed keywords in existing scripts and configuration files created in a previous
release. But the concealed keyword no longer appears in the command syntax for use in new scripts or
configuration files. Entering a question mark (?) will not display a concealed keyword as part of
the Help text. A removed keyword will return an error message when parsed.
continues to parse concealed keywords in existing scripts and configuration files created in a previous
release. But the concealed keyword no longer appears in the command syntax for use in new scripts or
configuration files. Entering a question mark (?) will not display a concealed keyword as part of
the Help text. A removed keyword will return an error message when parsed.
Important
ssh
Removed the v1-rsa keyword and concealed the v2-dsa keyword for the Context Configuration mode ssh
generate CLI command.
generate CLI command.
configure
context context_name
ssh generate key type v2-rsa
end
end
The v2-dsa keyword is removed in the ssh generate key type syntax and concealed in the ssh key name
length key_length type v2-rsa syntax.
length key_length type v2-rsa syntax.
Release Change Reference, StarOS Release 19
445
System Changes in Release 19
Conceal/Remove ssh server Configuration Options