https://community.cisco.com/t5/network-security/problem-with-weak-ssh-key-exchange-options/m-p/3762442#M8428 <P>I am having an issue with the SSH connectivity groups, it does not let me use SHA256 which means my FIPS 140-2 SALT automation server can't connect in and run commands from the firewall itself.&nbsp; There are options to set the ASDM and VPN exchanges, but I only have group 1 and 14 available for SSH to the management interface, and it does not include the SHA256 option made available in&nbsp;<A href="https://www.ietf.org/rfc/rfc4419.txt" target="_blank">https://www.ietf.org/rfc/rfc4419.txt</A> which is way back in 2006.</P> <P>&nbsp;</P> <P>Is it the case that my security device doesn't support more advanced exchanges?&nbsp; Is there no way to use something more advanced than:</P> <PRE class="lang:sh decode:true">ssh key-exchange group dh-group1-sha1</PRE> <P>Any assistance would be greatly appreciated.</P> <P>&nbsp;</P> <P>I am running the latest software and ASDM v10.1 on an ASA-5525-X.</P> <P>&nbsp;</P> <P><A href="https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html" target="_blank">https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html</A></P> Fri, 21 Feb 2020 16:34:17 GMT sp2lm@leidos.com 2020-02-21T16:34:17Z https://community.cisco.com/t5/network-security/problem-with-weak-ssh-key-exchange-options/m-p/3762442#M8428 <P>I am having an issue with the SSH connectivity groups, it does not let me use SHA256 which means my FIPS 140-2 SALT automation server can't connect in and run commands from the firewall itself.&nbsp; There are options to set the ASDM and VPN exchanges, but I only have group 1 and 14 available for SSH to the management interface, and it does not include the SHA256 option made available in&nbsp;<A href="https://www.ietf.org/rfc/rfc4419.txt" target="_blank">https://www.ietf.org/rfc/rfc4419.txt</A> which is way back in 2006.</P> <P>&nbsp;</P> <P>Is it the case that my security device doesn't support more advanced exchanges?&nbsp; Is there no way to use something more advanced than:</P> <PRE class="lang:sh decode:true">ssh key-exchange group dh-group1-sha1</PRE> <P>Any assistance would be greatly appreciated.</P> <P>&nbsp;</P> <P>I am running the latest software and ASDM v10.1 on an ASA-5525-X.</P> <P>&nbsp;</P> <P><A href="https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html" target="_blank">https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html</A></P> Fri, 21 Feb 2020 16:34:17 GMT https://community.cisco.com/t5/network-security/problem-with-weak-ssh-key-exchange-options/m-p/3762442#M8428 sp2lm@leidos.com 2020-02-21T16:34:17Z https://community.cisco.com/t5/network-security/problem-with-weak-ssh-key-exchange-options/m-p/3763808#M8429 <P>So, I have my answer for anyone whose interested:&nbsp; Yes, the ASA is using weak key exchanges which are susceptible to the LogJam attack.&nbsp; OpenSSH 7 and above removes support for&nbsp;<SPAN>diffie-hellman-group1-sha1 as a default, by specifying it manually we are about to get in on the CLI and by modifying the&nbsp;~/.ssh/config file we are able to allow it to be used on a host which is using a weak protocol, which hilariously in this cases is an expensive ASA Firewall.</SPAN></P> <P>&nbsp;</P> <P><SPAN>ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost</SPAN></P> <P>&nbsp;</P> <P><A href="https://www.openssh.com/legacy.html" target="_blank">https://www.openssh.com/legacy.html</A></P> Fri, 14 Dec 2018 15:12:11 GMT https://community.cisco.com/t5/network-security/problem-with-weak-ssh-key-exchange-options/m-p/3763808#M8429 sp2lm@leidos.com 2018-12-14T15:12:11Z