OpenSSH 7

Featured image

OpenSSH 7 discontinued among other things older key exchange protocol for Diffie-Hellmans group 1 (diffie-hellman-group1-sha1). it can be attacked using attack known as Logjam.

that’s all good and nice, until you try to connect to such device using newly upgraded SSH. if your device doesn’t support DH group 1 key exchange, you need to upgrade software. if you already have software capable of doing so, it needs to be configured on the box.

for Cisco ASA you need to configure:

ssh key-exchange group dh-group14-sha1

and for Cisco IOS/IOS-XE boxes, you need to change minimum key length - IOS will iterate over available key exchange options and ignore those not matching requirements:

ip ssh dh min size 2048