Symptom

enhancement to implement a knob to allow weak SSH ciphers. use 'ssh cipher-mode weak' to add support for weak ciphers aes128-cbc,aes192-cbc,aes256-cbc 9k# conf t Enter configuration commands, one per line. End with CNTL/Z. 9k(config)# ssh cipher-mode weak 9k(config)# end !! verification: 9k# conf t Enter configuration commands, one per line. End with CNTL/Z. 9k(config)# feature bash 9k(config)# end 9k# run bash sudo grep -i cipher /isan/etc/dcos_sshd_config #secure ciphers and MACs #CSCun41202 Bug-Preview for CSCun41202 : Disable weaker Ciphers and MACs Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc <<--- ! rollback: use the 'no' form of the command 9k# conf t Enter configuration commands, one per line. End with CNTL/Z. 9k(config)# no ssh cipher-mode weak 9k(config)# end

Conditions

With the introduction of CSCun41202 strong ciphers were enforced across NxOS

Workaround

Further Problem Description