Disable Diffie Hellman Weak Key Exchange Algorithm


Author
Message
herry21
h
Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)
Group: Forum Members
Posts: 4, Visits: 6
Hi,

Due to infosec team found that Diffie Helman as a Vulnerability, we are required to disable it on fortress ssh server. How can we do it?

Regards,
Technical Support Group...
Technical Support Group (TSG)
Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)
Group: Moderators
Posts: 136, Visits: 639
herry21 - 9/10/2021 8:06:01 AM
Hi,

Due to infosec team found that Diffie Helman as a Vulnerability, we are required to disable it on fortress ssh server. How can we do it?

Regards,

Hello,

You can configure the server algorithms using the Local FortressSSH Configuration program. Under the General Settings branch there is a page for each configurable option of the ssh protocol: Cipher; Compression; Host Key; Key Exchange; and MAC. On the Key Exchange branch you can uncheck any algorithm that you do not want allowed.

If you do not have the Key Exchange branch, you should update to the latest build at www.pragmasys.com/ssh-server/download.

Pragma Systems Technical Support
13809 Research Blvd, #675
Austin, TX 78750
http://www.pragmasys.com
herry21
h
Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)
Group: Forum Members
Posts: 4, Visits: 6
Technical Support Group (TSG) - 9/10/2021 3:40:37 PM
herry21 - 9/10/2021 8:06:01 AM
Hi,

Due to infosec team found that Diffie Helman as a Vulnerability, we are required to disable it on fortress ssh server. How can we do it?

Regards,

Hello,

You can configure the server algorithms using the Local FortressSSH Configuration program. Under the General Settings branch there is a page for each configurable option of the ssh protocol: Cipher; Compression; Host Key; Key Exchange; and MAC. On the Key Exchange branch you can uncheck any algorithm that you do not want allowed.

If you do not have the Key Exchange branch, you should update to the latest build at www.pragmasys.com/ssh-server/download.

Hello,

Many thanks for this solution. We will upgrade the software to the latest version.

Best Regards,
Heri
herry21
h
Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)
Group: Forum Members
Posts: 4, Visits: 6
Technical Support Group (TSG) - 9/10/2021 3:40:37 PM
herry21 - 9/10/2021 8:06:01 AM
Hi,

Due to infosec team found that Diffie Helman as a Vulnerability, we are required to disable it on fortress ssh server. How can we do it?

Regards,

Hello,

You can configure the server algorithms using the Local FortressSSH Configuration program. Under the General Settings branch there is a page for each configurable option of the ssh protocol: Cipher; Compression; Host Key; Key Exchange; and MAC. On the Key Exchange branch you can uncheck any algorithm that you do not want allowed.

If you do not have the Key Exchange branch, you should update to the latest build at www.pragmasys.com/ssh-server/download.

Hi,

We already upgrade the software, then uncheck any algorithm we don't want.


But after login to the server using ssh, and perform query using "ssh -Q kex", the algorithm still there, even after restarting the fortress services.


How to make sure that clients are not allowed to use the algorithm?

Thank you,
Heri
herry21
h
Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)Forum Member (43 reputation)
Group: Forum Members
Posts: 4, Visits: 6
herry21 - 9/13/2021 3:05:10 AM
Technical Support Group (TSG) - 9/10/2021 3:40:37 PM
herry21 - 9/10/2021 8:06:01 AM
Hi,

Due to infosec team found that Diffie Helman as a Vulnerability, we are required to disable it on fortress ssh server. How can we do it?

Regards,

Hello,

You can configure the server algorithms using the Local FortressSSH Configuration program. Under the General Settings branch there is a page for each configurable option of the ssh protocol: Cipher; Compression; Host Key; Key Exchange; and MAC. On the Key Exchange branch you can uncheck any algorithm that you do not want allowed.

If you do not have the Key Exchange branch, you should update to the latest build at www.pragmasys.com/ssh-server/download.

Hi,

We already upgrade the software, then uncheck any algorithm we don't want.


But after login to the server using ssh, and perform query using "ssh -Q kex", the algorithm still there, even after restarting the fortress services.


How to make sure that clients are not allowed to use the algorithm?

Thank you,
Heri

We need to disable diffie-hellman-group-sha1
Technical Support Group...
Technical Support Group (TSG)
Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)Pragmateer (1.5K reputation)
Group: Moderators
Posts: 136, Visits: 639
herry21 - 9/13/2021 3:06:12 AM
herry21 - 9/13/2021 3:05:10 AM
Technical Support Group (TSG) - 9/10/2021 3:40:37 PM
herry21 - 9/10/2021 8:06:01 AM
Hi,

Due to infosec team found that Diffie Helman as a Vulnerability, we are required to disable it on fortress ssh server. How can we do it?

Regards,

Hello,

You can configure the server algorithms using the Local FortressSSH Configuration program. Under the General Settings branch there is a page for each configurable option of the ssh protocol: Cipher; Compression; Host Key; Key Exchange; and MAC. On the Key Exchange branch you can uncheck any algorithm that you do not want allowed.

If you do not have the Key Exchange branch, you should update to the latest build at www.pragmasys.com/ssh-server/download.

Hi,

We already upgrade the software, then uncheck any algorithm we don't want.


But after login to the server using ssh, and perform query using "ssh -Q kex", the algorithm still there, even after restarting the fortress services.


How to make sure that clients are not allowed to use the algorithm?

Thank you,
Heri

We need to disable diffie-hellman-group-sha1

Heri,

The ssh -Q option queries the current ssh client, not the server. It also appears that you might be using the openssh client, because our client does not support the -Q option. 

The best way to view the server algorithms is to connect with a -v option on the client command and view the negotiation between the server and client.


Pragma Systems Technical Support
13809 Research Blvd, #675
Austin, TX 78750
http://www.pragmasys.com
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search