Ethernet Switches & Routers

Reply
New Contributor
Posts: 3
Registered: ‎08-01-2016

SSH-server is broken on ICX7250's - deprecated security keys.

The ICX7250's don't seem to support anything other than a REALLY old and weak ssl key versions in ssh....which have now been deprecated.

 

I'm trying to setup a simple SSH login - nothing fancy - and I'm falling over at the first hurdle.

 

Status of the switch that I'm testing this on:

 

 

SSH server                 : Enabled
SSH port                   : tcp\22
Host Key                   : DSA 1024
Encryption                 : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc
Permit empty password      : No
Authentication methods     : Password, Public-key, Interactive
Authentication retries     : 3
Login timeout (seconds)    : 120
Idle timeout (minutes)     : 0
SCP                        : Enabled
SSH IPv4 clients           : All
SSH IPv6 clients           : All
SSH IPv4 access-group      :
SSH IPv6 access-group      :
SSH Client Keys            :

 

 

However, when I try to login, all I get is this:

 

Unable to negotiate with xx.xx.xx.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

 

According to the instruction manual: It is just a case of generating an RSA key - creating a local user [for testing purposes] - and you should be good to go.

 

I am using OpenSSH_7.2p2, OpenSSL 1.0.2h-fips  3 May 2016 - and all our Linux servers used for monitoring will also be using a similar version. 

 

The Brocade Security Manual - does seem to have left out some information, so I'm wondering if you guys can help me please?

Brocade Moderator
Posts: 27
Registered: ‎07-18-2016

Re: SSH-server is broken on ICX7250's - deprecated security keys.

Hi,

 

First, what version are you running? Second, have you tried to clear the crypto keys and regenerate them?

 

To delete the DSA host key pair, enter the following command.

device(config)#crypto key zeroize dsa

 

To generate a DSA key pair, enter the following command.

device(config)#crypto key generate dsa

 

Then try to ssh again.

 

I hope this helps.

 

Sincerely

Bill Hadley

 

 

Any and all information provided by me is for entertainment value and should not be relied upon as a guaranteed solution or warranty of merchantability. All systems and all networks are different and unique. If you have a concern about data loss, or network disconnection, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, Please mark it with the button at the bottom "Accept as solution".
New Contributor
Posts: 3
Registered: ‎08-01-2016

Re: SSH-server is broken on ICX7250's - deprecated security keys.

Hi there,

 

I am running FastIron 07400 Layer 3 code base.

 

Nope - this does not work - I have raised a TAC call with Brocade.

 

Error as previously: Unable to negotiate with xx.xx.xx.xx port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Broken SSH.

 

Thanks

 

 

Max

Frequent Contributor
Posts: 91
Registered: ‎07-20-2015

Re: SSH-server is broken on ICX7250's - deprecated security keys.

[ Edited ]

FIrst upgrade the Firmware and Bootrom if applicable to the latest supported version.

 

Next zeroize the crypto keys as described above.

 

... Then try this:

 

crypto key generate rsa mod 2048

 

 

If you would like to harden it further tweak these settings to your liking:

 

ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30

 

 

If you want to go all out and lock it down to answer SSH for only certain IPs and or subnets:

 

access-list 99 permit host 10.1.2.3
access-list 99 permit 10.2.0.0 0.0.255.255
access-list 99 deny any log

 

ssh access-group 99

 

 

Oh, yeah and don't forget to disable telnet:

 

no telnet server

 

New Contributor
Posts: 3
Registered: ‎08-01-2016

Re: SSH-server is broken on ICX7250's - deprecated security keys.

Hi, thanks for the reply. I am a little dyslexic, so what I actually meant was that my code base was actually 08400 layer 3 code base.

There is some good (and bad) news. SSHv2 in 08400 and 08400a is definitely broken on the ICX7250's. You can deprecate down to sha1 authentication, but that has flaws and problems in it. I've raised the problem that according to Brocade's manual (security) , SSH (OpenSSH 5.2) is only supported. This has critical vulnerabilitys associated with it.

Brocade are fixing the code base in Fastiron 08500 code (out soon), so I will be upgrading to that when it comes out.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.