I posted this on the main stack overflow page, but then I remembered that this niche existed. Figured it was worth a cross-post…

During a recent Nessus security scan at work, some of our NX-OS devices popped hot for a vulnerability relating to an insecure cipher (purposefully being vague here, since I am posting security-related stuff in a public forum) being offered as an option when establishing ssh connections.

After contacting Cisco TAC about how to remediate this vulnerability, they said that the only way to remediate at this time is by:

  1. create a modified version of the isan/etc/dcos_sshd_config file in bootflash, that removes the insecure ciphers from being offered when establishing ssh connections.
  2. create a python script that replaces the file created in step1 with the one that is there on-boot in isan/etc/
  3. run python script created in step2
  4. create event manager applet to re-run script created in step2 on reboot.

So, to me, this means that the isan/etc/dcos_sshd_config file is recreated at boot-time.

Now, my boss doesn’t like using the solution provided by TAC, because in the past, when they have suggested workarounds that involved running scripts with the event manager, they have caused a total network outage. He has asked me to find an alternate solution, and after extensive Google searches, I am coming up empty-handed.

Onto my question: What is generating the isan/etc/dcos_sshd_config file, and is it possible to modify that to not write the insecure ciphers to the isan/etc/dcos_sshd_config file?

Here’s some potentially relevant OS information:

bash-4.4$ uname -a Linux 5.10.149 #1 SMP Fri Dec 16 07:06:50 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Thank you all in advance for your time and consideration.

Leave a Reply

Your email address will not be published. Required fields are marked *