Symptom
After a reboot of the ASA sofware 9.12.1 release of Firepower 2110 device ssh version 1 2 is always automatically added into running-config and the ASA allow the SSH version 1 connections to the CLI console access.
Conditions
Default ssh version 2 configuration and reload of the ASA, then ssh version 1 2 is always automatically added into running-config.
ciscoasa# sh run ssh
ssh stricthostkeycheck
ssh timeout 10
ssh version 1 2
ssh key-exchange group dh-group14-sha1
Workaround
Configure manually the ssh version 2, in order to allow only the ssh version 2 connections to the CLI console.
ciscoasa# config t
ciscoasa(config)# ssh version 2
ciscoasa(config)# exit
ciscoasa# show run ssh
ssh stricthostkeycheck
ssh key-exchange group dh-group14-sha1
ciscoasa# show run all ssh
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption medium
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
Further Problem Description
ASA allows ssh version 1 connections to the CLI console Access when the relase notes of the 9.12.1 release said that SSH version 1 is no longer supported; only version 2 is supported. The ssh version 1 command will be migrated to ssh version 2.
