Checking Cisco switches for SSH capability

I believe there is already a compliance report you can run provided all 500 are in Solarwinds that will tell you in they are running SSH or not.  I ran it when I first started with this company.  Then I found out versions needed to be upgraded to support SSH.  But, at least that is where I started.

Which versions of IOS are being run? Per this site (dated 2007) http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html "SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S."

Are any running CAT OS?  If so, 6.1 and higher support:  http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/13881-ssh-cat-switches.html

You'll need to make sure you're running a version of IOS that is k9. LAN Base and LAN Lite versions of IOS do not support SSH. If you want to quickly check if SSH is already configured, I'd suggest nmap/zenmap.

While you're at the task of discovery for remediation and migration to SSH, remember SSH-V1 is no longer accepted as secure.  Upgrade to SSH-V2 as your first step, bypassing V1.

If you have NCM, you can not only report on your hardware's version of codes that are compatible with SSH-V2 and are running K9 versions of code, but you can also have NCM implement SSH, generate a new key (mandatory for using SSH the first time), set the SSH source interface, lock down any/all interfaces that were using Telnet and force them to only accept SSH-V2, etc.

Further, start using ISE or ACS if you're not already doing so, and move from RADIUS to TACACS to get a complete AAA solution that Authenticates users trying to access your gear, Authorizes which commands they are allowed to run on your gear, and performs complete Accounting of their actions so you know who issued exactly what commands at any specific date & time.  Nothing less works for proving you're doing right by your company's security when an audit happens.