OpenSSH 7 among other things discontinued older key exchange protocols for Diffie-Hellmans group 1 (diffie-hellman-group1-sha1
). we already know that it can be compromised by executing attack known as Logjam.
that’s all good and nice, until you try to connect to such device using newly upgraded SSH. if your device doesn’t support DH group 1 key exchange, you need to upgrade software. if you already have software capable of doing so, it needs to be configured on the box.
for Cisco ASA you need to configure:
ssh key-exchange group dh-group14-sha1
for Cisco IOS/IOS-XE boxes, you need to change minimum key length - IOS will iterate over available key exchange options and ignore those that are not matching set requirements:
ip ssh dh min size 2048