PDF(87.5 KB) View with Adobe Reader on a variety of devices
ePub(86.8 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(74.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:October 18, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to troubleshoot/resolve SSH issues to a Nexus 9000 after a code upgrade.
Before the cause of the SSH issues are explained, it is necessary to know about the 'SSH Server CBC Mode Ciphers Enabled & SSH Weak MAC Algorithms Enabled' vulnerability which affects the Nexus 9000 platform.
CVE ID - CVE- 2008-5161 (SSH Server CBC Mode Ciphers Enabled & SSH Weak MAC Algorithms Enabled)
Issue description - SSH Server CBC Mode Ciphers Enabled Vulnerability (SSH Server CBC Mode Ciphers Enabled)
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This can allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Recommended solution - Disable CBC mode cipher encryption, and enable counter (CTR) mode or Galois/Counter Mode (GCM) cipher mode encryption
After you upgrade the code to 7.0(3)I2(1), you are unable to SSH into the Nexus 9000 and receive this error:
no matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,email@example.com server
The reason you are unable to SSH into the Nexus 9000 after you upgrade to code 7.0(3)I2(1) and later is weak ciphers are disabled via the Cisco bug ID CSCuv39937 fix.
The long term solution for this problem is to use the updated/latest SSH client which has old weak ciphers disabled.
The temporary solution is to add weak ciphers back on the Nexus 9000. There are two possible options for the temporary solution, which depends on the version of code.
Temporary Option 1. ssh cipher-mode weak Command (Available with NXOS 7.0(3)I4(6) or Later)
Introduced by Cisco bug ID CSCvc71792 - implement a knob to allow weak ciphers aes128-cbc,aes192-cbc,aes256-cbc.
Adds support for these weak ciphers - aes128-cbc, aes192-cbc, and aes256-cbc.
There is still no support for 3des-cbc cipher.
! baseline: only strong Ciphers aes128-ctr,aes192-ctr,aes256-ctr allowed 9k# conf t Enter configuration commands, one per line. End with CNTL/Z. 9k(config)# feature bash 9k(config)# run bash sudo grep -i cipher /isan/etc/dcos_sshd_config #secure ciphers and MACs #CSCun41202 : Disable weaker Ciphers and MACs Ciphers aes128-ctr,aes192-ctr,aes256-ctr <<----- only strong ciphers
! enable the weak aes-cbc ciphers with NXOS command ! Note that weak cipher 3des-cbc is still disabled.
9k# conf t Enter configuration commands, one per line. End with CNTL/Z. 9k(config)# ssh cipher-mode weak 9k(config)# end
!! verification: 9k# run bash sudo grep -i cipher /isan/etc/dcos_sshd_config #secure ciphers and MACs #CSCun41202 : Disable weaker Ciphers and MACs Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc <<---
! rollback: use the 'no' form of the command 9k# conf t Enter configuration commands, one per line. End with CNTL/Z. 9k(config)# no ssh cipher-mode weak 9k(config)# end
Temporary Option 2. Use Bash in Order to Modify the sshd_config File and Explicitly Re-add the Weak Ciphers
If you comment out the cipher line from the /isan/etc/sshd_config file, all default ciphers are supported (this includes aes128-cbc, 3des-cbc, aes192-cbc, and aes256-cbc).
bash-4.2$ sudo su - root@N9K-1#cd /isan/etc root@N9K-1#cat dcos_sshd_config | egrep Cipher #CSCun41202 : Disable weaker Ciphers and MACs Ciphers aes128-ctr,aes192-ctr,aes256-ctr <<<< only allowed ciphers (eliminate known vulnerability).
!! Create a back up of the existing SSHD_CONFIG root@N9K-1#mv dcos_sshd_config dcos_sshd_config.backup
!! comment out the cipher line and save to config (effectively removing the restriction) cat dcos_sshd_config.backup | sed 's@^Cipher@# Cipher@g' > dcos_sshd_config
!! Verify root@N9K-1#cat dcos_sshd_config | egrep Cipher #CSCun41202 : Disable weaker Ciphers and MACs # Ciphers aes128-ctr,aes192-ctr,aes256-ctr << see inserted comment # before Cipher (to remove the limitation)
root@N9K-1#exit logout bash-4.2$ exit exit N9K-1(config)# no feature bash N9K-1(config)# exit
Note that when you add old ciphers back you revert to the use of weak ciphers and hence it is a security risk.
Review and republish document to conform to current CCW and Cisco.com publishing standards.