Campus Switching and Routing

Reply
Occasional Contributor II
Posts: 17
Registered: ‎02-13-2017

3810M and 5400Rzl2: Are there additional SSH key exchange methods?

[ Edited ]

Our DevOps team has an old network management tool (using Java 6) that they're upgrading. Previously it used telnet to connect to switches; they're attempting to replace that with SSH.

 

The library they're using doesn't have the key exchange algorithm which the switches use. It does, however, have compatible ciphers and MAC algorithms, so we can leave that out for now.

 

The encryption and Our 3810M and 5400Zrl2 switches are in `secure-mode standard` with firmware versions KB.16.02 and KB.16.03 and appear to only accept `diffie-hellman-group14-sha1`. I understand that this uses a group size of 2048 bits and is acceptable for use.

 

This is a log (generated by their program) from one attempt to connect to the switches:

 

 

2017-03-15 12:59:12 INFO  main:56 - jsCH: Connecting to <SWITCH IP ADDRESS> port 22
2017-03-15 12:59:12 INFO  main:56 - jsCH: kex: <SWITCH>: diffie-hellman-group14-sha1 --keyExchange
. . .
2017-03-15 12:59:12 INFO  main:56 - jsCH: kex: <SOFTWARE>: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
. . .
2017-03-15 12:59:12 INFO  main:56 - jsCH: kex: <SOFTWARE>: none
2017-03-15 12:59:12 INFO  main:56 - jsCH: Disconnecting from <SWITCH IP ADDRESS> port 22

`diffie-hellman-group1-sha1` is not secure due to being within the theoretical range of Logjam, however `diffie-hellman-group-exchange-sha256` and `diffie-hellman-group-exchange-sha1` can be sufficient if the client requests a group size of 2048.

 

Do the 3810M and 5400Zrl2 switches have these key exchanges available for use? If so, how would one go about to enable them?

 

Occasional Contributor II
Posts: 10
Registered: ‎09-02-2016

Re: 3810M and 5400Rzl2: Are there additional SSH key exchange methods?

Hi Kamikaze, 

 

Aruba OS-Switch doesn't support any other key exchange algorithms other than  “diffie-hellman-group14-sha1” for SSH Connections by default.  Any SSH client will have to support the same key exchange algorithm to the switch.

 

Regards,

 

Justin

 

JUSTIN NOONAN
TECHNICAL MARKETING ENGINEER – ARUBA CAMPUS TECHNOLOGIES
O: +1 916 540 1748   |   justin.noonan@hpe.com

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747 USA

Occasional Contributor II
Posts: 17
Registered: ‎02-13-2017

Re: 3810M and 5400Rzl2: Are there additional SSH key exchange methods?

Justin,

 

Thank you for responding. I'll let our DevOps team know immediately.

Search Airheads
Showing results for 
Search instead for 
Did you mean: