Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 04-04-2016, 07:20 AM
koenv koenv is offline
Registered User
 
Join Date: Feb 2010
Posts: 39
diffie-hellman key exchange disabled

I was trying to connect to some Cisco switches but was failign with the following error:
Code:
Key exchange failed.
No compatible key exchange method. The server supports these methods: diffie-hellman
And indeed, in SecureCRT the diffie-hellman key exchange is indeed disabled by default. Enabling it fixed my issue but now I'm wondering..
Is there a reason why this is disabled by default? Is it less secure or anything like that? Should I leave is disabled for those sessions that don't require it?
Reply With Quote
  #2  
Old 04-05-2016, 10:46 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,216
Hi koenv,

The change was implemented in 8.0 Beta 1, and is related to the news surrounding the Logjam vulnerability. The Logjam vulnerability in and of itself is not applicable to SecureCRT (since SecureCRT is not an SSL v3 client), but information from the authors who conducted the associated research indicate that 1024-bit primes are subject to brute-force nation-state cracking and actually mention SSH servers being potentially susceptible (those which enable / use / allow diffie-hellman key exchange with 1024-bit or lesser primes).

See the following articles for more information about the weakness of diffie-hellman, 1024-bit primes, etc.:
https://www.schneier.com/blog/archiv...gjam_and_.html
https://weakdh.org (particularly point #2 which talks of nation-states being able to break a 1024-bit prime).
Because of this new research, diffie-hellman can largely be considered as weak/deprecated much the same way as 3DES and MD5 are now considered weak/deprecated.

For the security-minded professional, diffie-hellman should be left disabled, and only enabled in those rare circumstances where the device to which you are connecting does not support anything newer/stronger/better.

Note: "diffie-hellman" is not the same as "diffie-hellman-group14" (uses the Oakley Group 14 2048-bit prime -- see RFC 3526), which is considered to be more secure than diffie-hellman (uses the Oakley group 2 1024-bit prime -- see RFC 2409).

Then there is "diffie-hellman-group" key exchange in which the client and the server negotiate regarding the size of primes that will be used/allowed during key exchange (see RFC 4419). This "diffie-hellman-group" key exchange method is also considered more secure AS LONG AS the list of primes configured to be used on the server side are > 1024-bits in size. This new information is also why as of version 4.1 of our VShell SSH2 server product, the list of primes available for diffie-hellman-group key exchange no longer include any that are < 2048-bits in size.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 09-09-2016, 10:18 AM
theodoxa theodoxa is offline
Registered User
 
Join Date: Sep 2016
Posts: 3
We have switches configured for SSH. SecureCRT has no problem with some, but complains about others. The only configuration is specifying SSH on the VTY lines and creating a 1024 bit RSA Key.

Since it is working with some switches with 1024 bit keys, the key size doesn't seem to be the problem. I have noticed that all the problematic switches are slightly older (2960/2960-S/3560 vs. 2960-X/3750-X), so I'm thinking Cisco changed a default setting, but I don't know what it is to change it on the other switches. Does anyone know how to make the switches play nice with SecureCRT?
Reply With Quote
  #4  
Old 09-09-2016, 10:59 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,216
Hi theodoxa,

What version of SecureCRT are you using?

What is the specific message that you receive?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 09-13-2016, 09:23 AM
theodoxa theodoxa is offline
Registered User
 
Join Date: Sep 2016
Posts: 3
Quote:
Version 8.0.3 (x64 build 1183) - Official Release - September 8, 2016
Quote:
Key exchange failed.
No compatible key-exchange method. The server supports these methods: diffie-hellman

The diffie-hellman key-exchange method is off by default to address the Logjam
vulnerability. It can be turned on in the Sessions Options dialog in the
Connection/SSH2 category in order to connect to servers that only support
diffie-hellman.
..........
Reply With Quote
  #6  
Old 09-13-2016, 11:42 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,216
Hi theodoxa,

The solution is contained within the quoted message:

Quote:
The diffie-hellman key-exchange method is off by default to address the Logjam vulnerability. It can be turned on in the Sessions Options dialog in the Connection/SSH2 category in order to connect to servers that only support diffie-hellman.
See attached screenshot showing a default config as of v8.0.x:



If you enable diffie-hellman key exchange, is the issue resolved?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730

Last edited by jdev; 09-13-2016 at 12:04 PM.
Reply With Quote
  #7  
Old 09-14-2016, 07:43 AM
theodoxa theodoxa is offline
Registered User
 
Join Date: Sep 2016
Posts: 3
Quote:
Originally Posted by bgagnon View Post
If you enable diffie-hellman key exchange, is the issue resolved?
Yes, but I was hoping there was some way to fix it on the switch side (a CLI command).

Last edited by theodoxa; 09-14-2016 at 08:25 AM.
Reply With Quote
  #8  
Old 09-14-2016, 08:29 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,216
Hi theodoxa,

That would be something you would have to take up with the vendor of the switch.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 10:30 PM.