SSH Weak Key Exchange algorithms are enabled
search cancel

SSH Weak Key Exchange algorithms are enabled

book

Article ID: 271801

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

APIM Admin security team ran a security scan and found out that we were using the following Kex Algorithm:

  • diffie-hellman-group-exchange-sha1

Environment

Release : 10.1 CR03

Resolution

Ultimately you can edit the:

SSH Client -> /etc/ssh/ssh_config

or the SSHD Server -> /etc/ssh/sshd_config 

and put the following uncommented out statement:

KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Then you need to recycle ssh:

service sshd restart

Then you can confirm with the local command:

sshd -T | grep -i kex 

and it will list want our SSHD accepts.  

Also you can confirm this with the following nmap command:

nmap -sV -p 22 --script ssh2-enum-algos <servername>