By default, the Cisco ASA will allow clients to connect using SSH-1 or SSH-2. You can configure the ASA to accept only clients that use SSH-2. Just use the ssh ver 2 command:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# sh ssh Timeout: 5 minutes Version allowed: 2 11.11.11.2 255.255.255.255 outside
Below is the console output when a SSH-2 client connects to the ASA. (You need to enable SSH debugging via the debug ssh command.)
You can see the steps involved in establishing a SSH-2 connection. The client connects from 11.11.11.2, the server (the ASA) sends the host key, the client and server negotiate which SSH version to use, and also what encryption to use. Once the connection is established, you can see the client authenticate using the default SSH username “pix”. At the end, you can see the session terminate normally.
ciscoasa(config)# Device ssh opened successfully. SSH0: SSH client: IP = '11.11.11.2' interface # = 2 SSH: host key initialised SSH0: starting SSH control process SSH0: Exchanging versions - SSH-1.99-Cisco-1.25 SSH0: send SSH message: outdata is NULL server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83) SSH0: client version is - SSH-2.0-PuTTY_Release_0.60 client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 1000 ms SSH2 0: SSH2_MSG_KEXINIT sent SSH2 0: SSH2_MSG_KEXINIT received SSH2: kex: client->server aes256-cbc hmac-sha1 none SSH2: kex: server->client aes256-cbc hmac-sha1 none SSH2 0: expecting SSH2_MSG_KEXDH_INIT SSH2 0: SSH2_MSG_KEXDH_INIT received SSH2 0: signature length 143 SSH2: kex_derive_keys complete SSH2 0: newkeys: mode 1 SSH2 0: SSH2_MSG_NEWKEYS sent SSH2 0: waiting for SSH2_MSG_NEWKEYS SSH2 0: newkeys: mode 0 SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(pix): user authen method is 'no AAA', aaa server group ID = 0 SSH(pix): user authen method is 'no AAA', aaa server group ID = 0 SSH2 0: authentication successful for pix SSH2 0: channel open request SSH2 0: pty-req request SSH2 0: requested tty: xterm, height 24, width 80 SSH2 0: shell request SSH2 0: shell message received SSH0: Session terminated normally
Additional Information:
Debug ssh command in the Cisco ASA 8.4 Command Reference.
Ssh command in the Cisco ASA 8.4 Command Reference.
Show ssh command in the Cisco ASA 8.4 Command Reference.