The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the steps to add (or) remove Ciphers, MACs, and Kex Algorithms in Nexus platforms.
Cisco recommends that you understand the basics of Linux and Bash.
The information in this document is based on these hardware and software versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Sometimes, security scans can find weak encryption methods used by Nexus devices. If this happens, changes to the dcos_sshd_config
file on the switches are required to remove these insecure algorithms.
To confirm what Ciphers, MACs, and Kex Algorithms a platform uses and check this from an external device you can use these options:
Open a CMD line on a PC that can reach the Nexus device and use the command ssh -vvv <hostname>
.
C:\Users\xxxxx>ssh -vvv <hostname>
--------- snipped ------------
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,curve25519-sha256@libssh.org <--- Kex algorithms
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc <--- encryption algorithms
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1 <--- mac algorithms
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com <--- compression algorithms
This applies to:
Steps:
switch(config)# feature bash-shell
switch(config)#
switch(config)# run bash
bash-4.3$
2. Review the contents from the dcos_sshd_config
file:
bash-4.3$ cat /isan/etc/dcos_sshd_config
Note: You can use egrep to look at specific lines: cat /isan/etc/dcos_sshd_config | grep MAC
This applies to:
Steps:
1. Open a TAC case to obtain the dplug file that matches the NXOS version running on the switch.
2. Upload the dplug file to bootflash and create a copy of it.
switch# copy bootflash:nuova-or-dplug-mzg.7.3.8.N1.1 bootflash:dp
Note: A copy ("dp") of the original dplug file is created in bootflash, so that only the copy gets removed after the dplug is loaded and the original dplug file remains in bootflash for subsequent runs.
3. Load the copy of the dplug via the load
command.
n5k-1# load bootflash:dp
Loading plugin version 7.3(8)N1(1)
###############################################################
Warning: debug-plugin is for engineering internal use only!
For security reason, plugin image has been deleted.
###############################################################
Successfully loaded debug-plugin!!!
Linux(debug)#
Linux(debug)#
2. Review dcos_sshd_config
file.
Linux(debug)# cat /isan/etc/dcos_sshd_config
1. Send a copy of the dcos_sshd_config
file to bootflash:
Linux(debug)# cd /isan/etc/
Linux(debug)# copy dcos_sshd_config /bootflash/dcos_sshd_config
Linux(debug)# exit
2. Confirm the copy is on bootflash:
switch(config)# dir bootflash: | i ssh
7372 Mar 24 02:24:13 2023 dcos_sshd_config
3. Export to a server:
switch# copy bootflash: ftp:
Enter source filename: dcos_sshd_config
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the ftp server: <hostname>
Enter username: <username>
Password:
***** Transfer of file Completed Successfully *****
Copy complete, now saving to disk (please wait)...
Copy complete.
4. Make the necessary changes to the file and import back to bootflash.
1. Upload the modified dcos_sshd_config
file to boot flash.
switch# copy ftp: bootflash:
Enter source filename: dcos_sshd_config_modified.txt
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the ftp server: <hostname>
Enter username: <username>
Password:
***** Transfer of file Completed Successfully *****
Copy complete, now saving to disk (please wait)...
Copy complete.
switch#
By replacing the existing dcos_sshd_config
file under /isan/etc/
with a modified dcos_sshd_config
file located in bootflash. This process is not persistent across reboots
ssh config
file to bootflash:switch# dir bootflash: | i ssh
7372 Mar 24 02:24:13 2023 dcos_sshd_config_modified
2. While in bash or Linux(debug)# mode, overwrite the existing dcos_sshd_config
file with the one in bootflash:
bash-4.3$ sudo su
bash-4.3# copy /bootflash/dcos_sshd_config_modified /isan/etc/dcos_sshd_config
3. Confirm the changes were successful:
bash-4.3$ cat /isan/etc/dcos_sshd_config
By using an EEM script that gets triggered when the log "VDC_MGR-2-VDC_ONLINE" comes up after a reload. If the EEM is triggered, a py script is run and replaces the existing dcos_sshd_config
file under /isan/etc/
with a modified dcos_sshd_config
file located in bootflash. This only applies to NX-OS versions that support "feature bash-shell".
switch# dir bootflash: | i ssh
7404 Mar 03 16:10:43 2023 dcos_sshd_config_modified_7k
switch#
2. Create a py script that applies changes to the dcos_sshd_config
file. Ensure to save the file with "py" extension.
#!/usr/bin/env python
import os
os.system("sudo usermod -s /bin/bash root")
os.system("sudo su -c \"cp /bootflash/dcos_sshd_config_modified_7k /isan/etc/dcos_sshd_config\"")
3. Upload the Python script to bootflash.
switch# dir bootflash:///scripts
175 Mar 03 16:11:01 2023 ssh_workaround_7k.py
Note: Python scripts are pretty much the same on all platforms, except for N7K which contains some additional lines to overcome Cisco bug ID CSCva14865.
4. Ensure the dcos_sshd_config
file name from the script and bootflash (Step 1.) are the same:
switch# dir bootflash: | i ssh
7404 Mar 03 16:10:43 2023 dcos_sshd_config_modified_7k
switch#
switch# show file bootflash:///scripts/ssh_workaround_7k.py
#!/usr/bin/env python
import os
os.system("sudo usermod -s /bin/bash root")
os.system("sudo su -c \"cp /bootflash/dcos_sshd_config_modified_7k /isan/etc/dcos_sshd_config\"")
switch#
4. Run the script once, so that the dcos_sshd_config
file is changed.
switch# source ssh_workaround_7k.py
switch#
5. Configure an EEM script, so that the py script is run every time the switch is rebooted and comes back up.
EEM N7K:
event manager applet SSH_workaround
event syslog pattern "vdc 1 has come online"
action 1.0 cli command "source ssh_workaround_7k.py"
action 2 syslog priority alerts msg "SSH Workaround implemented"
Note: EEM syntax can vary on different NXOS releases (some versions require "action <id> cli" and others "action <id> cli command"), so ensure to check that the EEM commands are taken properly.
switch# dir | i i ssh
7732 Jun 18 16:49:47 2024 dcos_sshd_config
7714 Jun 18 16:54:20 2024 dcos_sshd_config_modified
switch#
2. Create a py script that applies changes to the dcos_sshd_config
file. Ensure to save the file with the "py" extension.
#!/usr/bin/env python
import os
os.system("sudo su -c \"cp /bootflash/dcos_sshd_config_modified /isan/etc/dcos_sshd_config\"")
3. Upload the python script to bootflash.
switch# dir | i i .py
127 Jun 18 17:21:39 2024 ssh_workaround_9k.py
switch#
4. Ensure the dcos_sshd_config
file name from the script and from bootflash (Step 1.) are the same:
switch# dir | i i ssh
7732 Jun 18 16:49:47 2024 dcos_sshd_config
7714 Jun 18 16:54:20 2024 dcos_sshd_config_modified
127 Jun 18 17:21:39 2024 ssh_workaround_9k.py
switch#
switch# sh file bootflash:ssh_workaround_9k.py
#!/usr/bin/env python
import os
os.system("sudo su -c \"cp /bootflash/dcos_sshd_config_modified /isan/etc/dcos_sshd_config\"")
switch#
4. Run the script once, so that the dcos_sshd_config
file is changed.
switch# python bootflash:ssh_workaround_9k.py
5. Configure an EEM script, so that the py script is ran everytime the switch is rebooted and comes back up.
EEM N9K and N3K:
event manager applet SSH_workaround
event syslog pattern "vdc 1 has come online"
action 1.0 cli python bootflash:ssh_workaround_9k.py
action 2 syslog priority alerts msg SSH Workaround implemented
Note: EEM syntax can vary on different NXOS releases (some versions require "action <id> cli" and others "action <id> cli command"), so ensure to check that the EEM commands are taken properly.
A modified dplug file was created via Cisco bug ID CSCvr23488 to remove these Kex Algorithms:
The dpug files provided via Cisco bug ID CSCvr23488 are not the same as the ones that are used to access the Linux Shell. Open a TAC case to obtain the modified dplug from Cisco bug ID CSCvr23488.
dcos_sshd_config
settings:C:\Users\user>ssh -vvv admin@<hostname>
---- snipped ----
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 <--- kex algorithms
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr <--- encryption algorithms
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1 <--- mac algorithms
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com <--- compression algorithms
2. Create a copy of the modified dplug file.
switch# copy bootflash:nuova-or-dplug-mzg.7.3.14.N1.1_CSCvr23488.bin bootflash:dp
Note: A copy ("dp") of the original dplug file is created in bootflash so that only the copy gets removed after the dplug is loaded and the original dplug file remains in bootflash for subsequent runs.
3. Apply the dplug file from Cisco bug ID CSCvr23488 manually:
switch# load bootflash:dp2
Loading plugin version 7.3(14)N1(1)
###############################################################
Warning: debug-plugin is for engineering internal use only!
For security reason, plugin image has been deleted.
###############################################################
Successfully loaded debug-plugin!!!
Workaround for CSCvr23488 implemented
switch#
4. Verify the new dcos_sshd_config
settings:
C:\Users\user>ssh -vvv admin@<hostname>
---- snipped ----
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
5. Make this change persistent across reboots with an EEM script:
event manager applet CSCvr23488_workaround
event syslog pattern "VDC_MGR-2-VDC_ONLINE"
action 1 cli command "copy bootflash:nuova-or-dplug-mzg.7.3.14.N1.1_CSCvr23488.bin bootflash:dp"
action 2 cli command "load bootflash:dp"
action 3 cli command "conf t ; no feature ssh ;feature ssh"
action 4 syslog priority alerts msg "CSCvr23488 Workaround implemented"
Note:
F241.06.24-N7706-1(config)# feature bash-shell
F241.06.24-N7706-1(config)# run bash
bash-4.3$ sudo su
Cannot execute /isanboot/bin/nobash: No such file or directory <---
bash-4.3$
To overcome this, type in:
bash-4.3$ sudo usermod -s /bin/bash root
After this "sudo su" works:
bash-4.3$ sudo su
bash-4.3#
Note: This change does not survive a reload.
dcos_sshd_config
file for each VDC, in case SSH parameters need to be modified on a different VDC, ensure to modify the corresponding dcos_sshd_config
file.N7K# run bash
bash-4.3$ cd /isan/etc/
bash-4.3$ ls -la | grep ssh
-rw-rw-r-- 1 root root 7564 Mar 27 13:48 dcos_sshd_config <--- VDC 1
-rw-rw-r-- 1 root root 7555 Mar 27 13:48 dcos_sshd_config.2 <--- VDC 2
-rw-rw-r-- 1 root root 7555 Mar 27 13:48 dcos_sshd_config.3 <--- VDC 3
dcos_sshd_config
file is not persistent across reboots on any Nexus platform. If changes need to be persistent, an EEM can be used to modify the file every time the switch boots up. Enhancement on N9K changes this starting 10.4. See Cisco bug ID CSCwd82985for details.There are additional Ciphers, MACs, and KexAlgorithms that can be added if required:
switch(config)# ssh kexalgos [all | key-exchangealgorithm-name]
switch(config)# ssh macs [all | mac-name]
switch(config)# ssh ciphers [ all | cipher-name ]
Note: These commands are available on the Nexus 7000 with releases 8.3(1) and later. For the Nexus 3000/9000 platform, the command becomes available with release 7.0(3)I7(8) and later. (All 9.3(x) releases have this command as well. See Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.3(x) )
Revision | Publish Date | Comments |
---|---|---|
1.0 |
01-Jul-2024 |
Initial Release |