<br> There are two ways to identify SSH ciphers used in EXOS. <br> ## Option 1. Using Nmap without ssh into the switch Use the following command with Nmap in Linux, macOS, or Zenmap in Windows. <b><font color=blue>nmap -sV -p 22 --script ssh2-enum-algos 192.168.1.2</font></b> ``` macOS:/Users/analysisman% nmap -sV -p 22 --script ssh2-enum-algos 192.168.1.2 Password: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 23:16 PST Nmap scan report for 192.168.1.2 Host is up (0.0028s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms: (4) | diffie-hellman-group14-sha1 | diffie-hellman-group14-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | server_host_key_algorithms: (1) | ssh-rsa | encryption_algorithms: (4) | [email protected] | aes128-ctr | aes192-ctr | aes256-ctr | mac_algorithms: (6) | [email protected] | [email protected] | [email protected] | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ [email protected] MAC Address: 00:04:96:9B:55:AD (Extreme Networks) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.11 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.10 (94%), Linux 2.6.18 (93%), Linux 3.16 (93%), Linux 3.18 (93%), Linux 2.6.32 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.11 seconds ``` <br> ## Option 2. CLI command in EXOS The "show ssh2" command will show key type, ciphers, public key algorithms, etc. <b><font color=blue>show ssh2</font></b> ``` X440G2-12p-10G4.2 # sho ssh2 SSH module configuration details: SSH Access : Enabled Key validity : Valid Key type : RSA 2048 TCP port : 22 VR : all Access profile : not set Secure Mode : Off Diffie-Hellman Groups : 14 (2048 bits), 16 (4096 bits), 18 (8192 bits) Max Auth Tries : 3 Idle time : 60 minutes Rekey Interval : 4096 MB and no time limit Ciphers : [email protected], aes128-ctr, aes192-ctr, aes256-ctr Macs : [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1 Public key algorithms : ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss Login grace timeout : 120 seconds ``` <br> ### To enable or disable Cipher, use the following command. <b><font color=blue># configure ssh2 enable cipher {all/ <cipher>}</font></b> ※ **NOTE**: You must have version **16.2.5.4-patch1-31** or later (the previous version will not allow this command). <br> ## Links [[_MOC_2_Network]] <br> ## Tags #network #extreme