Search this Blog

Wednesday, May 29, 2013

How do you allow only ssh version 2 with aes256-cbc hmac-sha1 to IOS router?

We have a requirement on my IOS router running IOS latest version of 12.4T.

We would like to configure the router so that it only accepts ssh version 2 connection with aes256-cbc hmac-sha1.  Every other ssh connections such as aes192-cbc hmac-sha1 or hmac-md5 will fail.

We can get this to work on a Unix/Linux box in less than 10 seconds.  However, we are not able to get this to work in IOS routers.

Unfortunately  this functionality is not yet available on Cisco IOS (as of 5-29-2013).

Restricting it to only SSH version 2 is possible. To use only SSH v2, you have to fix the version with "ip ssh version" configuration command. Without doing it, you can connect to both SSH v1 and v2. SSH v1 use 3DES while SSH v2 use AES.

Please click here for more information on "Configuring Secure Shell on Routers and Switches Running Cisco IOS".

There isn't a way to restrict the encryption protocol in IOS.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.


  1. You can still use 3des with ssh 2 by using:
    SSH -c 3des -l

    also 128, 192, 256 aes by using -c 128-cbc, -c 192-cbc, -c 256-cbc.

    If i dont enter a -C value it picks 128 in my lab.

  2. should be SSH -c 3des -l user ip.

    i typed those in brackets but it cuts it out thinking im trying to use code in the comment though


/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */