I had a customer come to me and ask me to disable SSH version 1 on their Cisco ASA firewall because they were in the process of having a vulnerability scan run on their network. Ok, not big deal, but I thought Id show a couple of neat things.
First, how do we disable SSH version 1 and only allow SSH version 2? Like this: "ssh version 2" in config mode. Thats it.
So, with that said, you can also look at your current SSH sessions to see what version people are using. Lets first look at version 1. I am a little confused about one thing in particular. Notice that under the "version" tab, it says "1.5". I understand this as version 1, but Im not sure what it means to have version 1.5. I haven't figured that out at the time of this writing, and Im not sure I care. I just need version 1.anything disabled. Here is what it looks like:
"sho ssh session"
SID Client IP Version Mode Encryption Hmac State Username
1 24.196.3.248 1.5 - 3DES - SessionStarted sk
Now, with version 2, it looks like this:
"sho ssh session"
SID Client IP Version Mode Encryption Hmac State Username
1 24.196.3.248 2.0 IN aes256-cbc sha1 SessionStarted sk
OUT aes256-cbc sha1 SessionStarted sk
Notice the differences. The main thing is the encryption algorithm. aes256 and SHA is much stronger than 3DES.
