SecureCRT - Cisco ASA - The server supports these MACs: hmac-sha2-256. [SOLVED]

Not sure, but looks like starting from Cisco ASA release 9.12(2) SSH integrity algorithms were hardened to have just one hmac-sha2-256 in the list. So, by default “ssh cipher integrity” is set to “high” and here is what it means:

asa# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
        all:     3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr
        low:     3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr
        medium:  aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr
        fips:    aes128-cbc   aes256-cbc
        high:    aes256-cbc   aes256-ctr
Integrity Algorithms:
        all:     hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96  hmac-sha2-256
        low:     hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96  hmac-sha2-256
        medium:  hmac-sha1    hmac-sha1-96 hmac-sha2-256
        fips:    hmac-sha1    hmac-sha2-256
        high:    hmac-sha2-256
asa#

In previous releases “ssh cipher integrity” was set to “medium”. Moreover, in previous releases even “high” contained “hmac-sha1”.

asa# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
        all:     3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr
        low:     3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr
        medium:  aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr
        fips:    aes128-cbc   aes256-cbc
        high:    aes256-cbc   aes256-ctr
Integrity Algorithms:
        all:     hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96
        low:     hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96
        medium:  hmac-sha1    hmac-sha1-96
        fips:    hmac-sha1
        high:    hmac-sha1
asa#

Well, more security is better, but if you use old version of Vandyke SecureCRT (7.0.3 in particular) that does NOT support hmac-sha2-256 you will see the following message:

Key exchange failed.
No compatible MAC. The server supports these MACs: hmac-sha2-256

So, if you have ASA 9.12(2) or higher and you’d like to connect using old SecureCRT the workaround is:

conf t
 ssh cipher integrity medium

Good luck!

Admin area