Re: SSH Key Exchange Algorithm

AdMon wrote:
by a vulnerability scanning I've get following issue:

Problem Description:
The Secure Shell 2 (SSH2) protocol is a presentation layer protocol used to
provide secure client-server communication.

The SSH2 protocol specification requires that a SSH2 server support the
diffie-hellman-group1-sha1 key exchange algorithm. This key exchange
algorithm is considered strong, but faces a potential weakness in that the
same prime number is used for all key exchanges.

An alternative key exchange algorithm, diffie-hellman-exchange-group-sha1,
provides enhanced security by allowing for the prime number to be specified
during key exchange.

The target SSH2 server supports the diffie-hellman-group1-sha1 algorithm.

Has anybody an idea how can I fix this issue?
Thanks for Help!

Have you tried checking what algorithms your SSH server supports? Perhaps you can change the config to enable this algorithm?

It might help if you mentioned what SSH Server you are using? OpenSSH or some proprietary one?

I've just checked the OpenSSH config and while it mentions encryption ciphers there is no mention of key exchange algorithms, perhaps it's a compile time option but I don't compile my own for production (it's unmaintainable for security) so I wouldn't know.

If not using OpenSSH, would it be possible to switch to this? If your current server doesn't support the desired algorithm and if OpenSSH does, then this would probably solve your issue. Perhaps you should scan an OpenSSH system and see if the same problem is reported, but I doubt it (also, what are you using to scan it?).


Hari Sekhon

Relevant Pages