I am having an issue with the SSH connectivity groups, it does not let me use SHA256 which means my FIPS 140-2 SALT automation server can't connect in and run commands from the firewall itself. There are options to set the ASDM and VPN exchanges, but I only have group 1 and 14 available for SSH to the management interface, and it does not include the SHA256 option made available in https://www.ietf.org/rfc/rfc4419.txt which is way back in 2006.
Is it the case that my security device doesn't support more advanced exchanges? Is there no way to use something more advanced than:
ssh key-exchange group dh-group1-sha1
Any assistance would be greatly appreciated.
I am running the latest software and ASDM v10.1 on an ASA-5525-X.
So, I have my answer for anyone whose interested: Yes, the ASA is using weak key exchanges which are susceptible to the LogJam attack. OpenSSH 7 and above removes support for diffie-hellman-group1-sha1 as a default, by specifying it manually we are about to get in on the CLI and by modifying the ~/.ssh/config file we are able to allow it to be used on a host which is using a weak protocol, which hilariously in this cases is an expensive ASA Firewall.