Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1879
Views
0
Helpful
1
Replies

Problem with Weak SSH Key Exchange Options

sp2lm@leidos.com
Level 1
Level 1

‎12-12-2018 03:18 PM - edited ‎02-21-2020 08:34 AM

I am having an issue with the SSH connectivity groups, it does not let me use SHA256 which means my FIPS 140-2 SALT automation server can't connect in and run commands from the firewall itself.  There are options to set the ASDM and VPN exchanges, but I only have group 1 and 14 available for SSH to the management interface, and it does not include the SHA256 option made available in https://www.ietf.org/rfc/rfc4419.txt which is way back in 2006.

 

Is it the case that my security device doesn't support more advanced exchanges?  Is there no way to use something more advanced than:

ssh key-exchange group dh-group1-sha1

Any assistance would be greatly appreciated.

 

I am running the latest software and ASDM v10.1 on an ASA-5525-X.

 

https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html

0 Helpful
1 Reply 1

sp2lm@leidos.com
Level 1
Level 1

‎12-14-2018 07:12 AM

So, I have my answer for anyone whose interested:  Yes, the ASA is using weak key exchanges which are susceptible to the LogJam attack.  OpenSSH 7 and above removes support for diffie-hellman-group1-sha1 as a default, by specifying it manually we are about to get in on the CLI and by modifying the ~/.ssh/config file we are able to allow it to be used on a host which is using a weak protocol, which hilariously in this cases is an expensive ASA Firewall.

 

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

 

https://www.openssh.com/legacy.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card