Ethernet Switches & Routers

Reply
Contributor
Posts: 45
Registered: ‎01-26-2016

ICX ssh encryption

I am far from an encryption and/or authentication guru but I recently upgraded my Linux desktop system and it's now got OpenSSH 7.2 which no longer supports the diffie-hellman-group1-sha1 encryption that my Brocade switches use.

 

I found a parameter to throw into my ssh commands to make it work (for that particular connection) but, as I understand it, OpenSSH no longer supports this encryption because it's not as secure as more modern methods.

 

Is there a way to change or upgrade the encryption on my switches outside of a firmware upgrade?  

 

Is there a target firmware with better ssh encryption?  

 

Is there a better way to "talk" to my switches rather than ssh from my command line?

 

Thanks in advance. 

Contributor
Posts: 63
Registered: ‎07-20-2015

Re: ICX ssh encryption

Good day...

 

The way to upgrade SSH capabilities are Firmware Upgrades, but the predominant purpsoe of SSH as you know is for secure command line access for managmenet of the devices.

 

The only other way to manage the devices that I know of (other than the web GUI) is SNMP, and it is generally much more limited.  It can certainly get you port information, various metrics, etc.

Contributor
Posts: 45
Registered: ‎01-26-2016

Re: ICX ssh encryption

Thanks for the reply.

 

So if ssh is still the way to go to manage my switches (is there a way to share keys or whatever it's called?), I guess I can either downgrade my OpenSSH client, keep using the workarounds and/or figure out which firmware I would need to install to get past this.

 

 

Brocadian
Posts: 3
Registered: ‎02-03-2017

Re: ICX ssh encryption

Has anyone tried modifying their /etc/ssh/sshd_config file?

 

Add the following to the bottom of the file.

 

HostkeyAlgorithms +ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1

 

Using VIM or Nano?

 

 

Contributor
Posts: 45
Registered: ‎01-26-2016

Re: ICX ssh encryption

Thanks for the suggestion.

 

I added those two lines to the bottom of /etc/ssh/sshd_config, regenerated my keys by "ssh-keygen -A" and restarted the service by "service ssh restart" and it didn't make any difference.

 

 

Brocadian
Posts: 3
Registered: ‎02-03-2017

Re: ICX ssh encryption

I used this solution with Mac OS X 10.12 after they upgraded OpenSSH to version 7.2. I'm sorry to hear that it didn't work for you...

http://goodbyecli.com/macos-sierra-beta/

Highlighted
Contributor
Posts: 63
Registered: ‎07-20-2015

Re: ICX ssh encryption

On the Brocade FastIron IOS type devices, I think you might find this particularly uselful...  I have not personally tried it, but it probably should work.

 

http://www.brocade.com/content/html/en/configuration-guide/fastiron-08030b-securityguide/GUID-DD33D853-DC83-4F74-8157-4C608759933F.html

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.