Cisco ISR 4000 series Configuration Manual page 18

Cisco ISR 4000 Family Routers Administrator Guidance
In addition, configure your ssh client for dh-group-14. In Putty, configure the SSH client
to support only diffie-hellman-group14-sha1 key exchange. To configure Putty, do the
following:

Go into Putty Configuration Select > Connection > SSH > Kex;

Under Algorithm selection policy: move Diffie-Hellman group 14 to the top of the
list;
Move the "warn below here" option to right below DH group14
6. Configure vty lines to accept 'ssh' login services
TOE-common-criteria(config-line)# transport input ssh
7. Configure a SSH client to support only the following specific encryption algorithms:
 AES-CBC-128
 AES-CBC-256
peer#ssh -l cisco -c aes128-cbc 1.1.1.1
peer#ssh -l cisco -c aes256-cbc 1.1.1.1
8. Configure a SSH client to support message authentication. Only the following MACs are
allowed and "None" for MAC is not allowed:
a. hmac-sha1
b. hmac-sha1-96
peer#ssh -l cisco -m hmac-sha1-160 1.1.1.1
peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1
9. To verify the proper encryption algorithms are used for established connections, use the
show ssh sessions command:
TOE-common-criteria# show ssh sessions
Note: To disconnect SSH sessions, use the ssh disconnect command:
TOE-common-criteria# ssh disconnect
10. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be
configured to be lower than the default values if a shorter interval is desired):
a. ip ssh rekey time 60
b. ip ssh rekey volume 1000000
11. HTTP and HTTPS servers were not evaluated and must be disabled:
TOE-common-criteria(config)# no ip http server
TOE-common-criteria(config)# no ip http secure-server
12. SNMP server was not evaluated and must be disabled:
TOE-common-criteria(config)# no snmp-server
Page 18 of 66