cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1302
Views
0
Helpful
1
Replies

Problem with Weak SSH Key Exchange Options

sp2lm@leidos.com
Beginner
Beginner

I am having an issue with the SSH connectivity groups, it does not let me use SHA256 which means my FIPS 140-2 SALT automation server can't connect in and run commands from the firewall itself.  There are options to set the ASDM and VPN exchanges, but I only have group 1 and 14 available for SSH to the management interface, and it does not include the SHA256 option made available in https://www.ietf.org/rfc/rfc4419.txt which is way back in 2006.

 

Is it the case that my security device doesn't support more advanced exchanges?  Is there no way to use something more advanced than:

ssh key-exchange group dh-group1-sha1

Any assistance would be greatly appreciated.

 

I am running the latest software and ASDM v10.1 on an ASA-5525-X.

 

https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html

1 Reply 1

sp2lm@leidos.com
Beginner
Beginner

So, I have my answer for anyone whose interested:  Yes, the ASA is using weak key exchanges which are susceptible to the LogJam attack.  OpenSSH 7 and above removes support for diffie-hellman-group1-sha1 as a default, by specifying it manually we are about to get in on the CLI and by modifying the ~/.ssh/config file we are able to allow it to be used on a host which is using a weak protocol, which hilariously in this cases is an expensive ASA Firewall.

 

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

 

https://www.openssh.com/legacy.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers