This document describes how to review and configure SSH authentication versions on the Cisco Email Security Appliance (ESA).
How do I make sure that my ESA only accepts SSH connections from clients using SSH v2?
The ESA can be configured to allow Secure Shell (SSH) connections. SSH connections encrypt traffic between the connecting host and the ESA. This protects authentication information like username and passwords. There are two major versions of the SSH protocol: version 1 (SSH v1) and version 2 (SSH v2). SSH v2, being more recent, is more secure than SSH v1, and thus many ESA administrators prefer to only allow connections from clients using SSH v2.
On versions of AsyncOS through 7.6.3, disabling SSH v1 connections can be done from the CLI with sshconfig:
mail3.example.com> sshconfig Currently installed keys for admin: Choose the operation you want to perform: - NEW - Add a new key. - USER - Switch to a different user to edit. - SETUP - Configure general settings. > setup SSH v1 is currently ENABLED. Choose the operation you want to perform: - DISABLE - Disable SSH v1 > DISABLE
On versions of AsyncOS 8.x and newer, the option of disabling SSH v1 does not exist with sshconfig. If SSH v1 was enabled prior to the upgrade of 8.x, SSH v1 will remain enabled and accessible on the ESA, even after the upgrade is complete even though all support for SSH v1 has been removed. This may be an issue for administrators who perform regular security audits and penetration testing.
As all support for SSH v1 has been removed, a support request must be opened to have SSHv1 disabled.
Run the following command from an external Linux/Unix host, or other applicable CLI connection of choice, to confirm if SSH v1 is enabled or disabled to the ESA in question:
robert@my_ubuntu:~$ ssh -1 email@example.com Protocol major versions differ: 1 vs. 2
The expected output is "Protocol major versions differ: 1 vs. 2", which would signal that SSH v1 is disabled. If not, and SSH v1 is still enabled, you will see:
robert@my_ubuntu:~$ ssh -1 firstname.lastname@example.org Password: Response: Last login: Thu Oct 30 14:53:40 2014 from 192.168.0.3 Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.0.1 for Cisco IronPort C360 build 023
Welcome to the Cisco IronPort C360 Messaging Gateway(tm) Appliance myesa.local>
This output would signal that SSH v1 is still in use and can cause insecurity with the ESA after upgrading it to 8.x or newer. This may be brought to attention with a penetration test or security audit, and identify a significant gap. In order to correct, you will need to open a support case and request to have this corrected. You will need to be able to provide a support tunnel from the ESA for Cisco Technical Support.