03-30-2017 11:38 AM
I am far from an encryption and/or authentication guru but I recently upgraded my Linux desktop system and it's now got OpenSSH 7.2 which no longer supports the diffie-hellman-group1-sha1 encryption that my Brocade switches use.
I found a parameter to throw into my ssh commands to make it work (for that particular connection) but, as I understand it, OpenSSH no longer supports this encryption because it's not as secure as more modern methods.
Is there a way to change or upgrade the encryption on my switches outside of a firmware upgrade?
Is there a target firmware with better ssh encryption?
Is there a better way to "talk" to my switches rather than ssh from my command line?
Thanks in advance.
03-30-2017 12:00 PM
The way to upgrade SSH capabilities are Firmware Upgrades, but the predominant purpsoe of SSH as you know is for secure command line access for managmenet of the devices.
The only other way to manage the devices that I know of (other than the web GUI) is SNMP, and it is generally much more limited. It can certainly get you port information, various metrics, etc.
03-30-2017 12:11 PM
Thanks for the reply.
So if ssh is still the way to go to manage my switches (is there a way to share keys or whatever it's called?), I guess I can either downgrade my OpenSSH client, keep using the workarounds and/or figure out which firmware I would need to install to get past this.
03-30-2017 12:28 PM
Has anyone tried modifying their /etc/ssh/sshd_config file?
Add the following to the bottom of the file.
Using VIM or Nano?
03-30-2017 12:39 PM
Thanks for the suggestion.
I added those two lines to the bottom of /etc/ssh/sshd_config, regenerated my keys by "ssh-keygen -A" and restarted the service by "service ssh restart" and it didn't make any difference.
04-07-2017 10:49 AM
On the Brocade FastIron IOS type devices, I think you might find this particularly uselful... I have not personally tried it, but it probably should work.