Showing results for 
Search instead for 
Did you mean: 

Problem with Weak SSH Key Exchange Options

I am having an issue with the SSH connectivity groups, it does not let me use SHA256 which means my FIPS 140-2 SALT automation server can't connect in and run commands from the firewall itself.  There are options to set the ASDM and VPN exchanges, but I only have group 1 and 14 available for SSH to the management interface, and it does not include the SHA256 option made available in which is way back in 2006.


Is it the case that my security device doesn't support more advanced exchanges?  Is there no way to use something more advanced than:

ssh key-exchange group dh-group1-sha1

Any assistance would be greatly appreciated.


I am running the latest software and ASDM v10.1 on an ASA-5525-X.

1 Reply 1

So, I have my answer for anyone whose interested:  Yes, the ASA is using weak key exchanges which are susceptible to the LogJam attack.  OpenSSH 7 and above removes support for diffie-hellman-group1-sha1 as a default, by specifying it manually we are about to get in on the CLI and by modifying the ~/.ssh/config file we are able to allow it to be used on a host which is using a weak protocol, which hilariously in this cases is an expensive ASA Firewall.


ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers