Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. This method allows two computer users to generate a shared private key with which they can then exchange information across an insecure channel.
ExtremeXOS supports Diffie-Hellman group 1 and Diffie-Hellman group 14 as part of the key exchange algorithms. In compliance with the Network Device collaborative Protection Profile (NDPP) of Common Criteria, the TSF (Target Security Function) ensures that diffie-hellman-group14-sha1 is the only minimal allowed key exchange method used for the SSH protocol.
ExtremeXOS now allows you to configure the minimal supported Diffie-Hellman group as 14 to avoid using the weaker Diffie-Hellman group 1 in an SSH server.
Two new CLIs are introduced to configure the minimal supported Diffie-Hellman group and show ssh configuration details respectively: Configure ssh2 dh-group minimum [1 | 14] Show ssh2 If the minimal supported Diffie-Hellman group is 14, then only Diffie-Hellman group 14 would be available in its key exchange algorithm proposal; Diffie-Hellman group 1 would not. User can revert back to default configuration by setting the minimal supported group as Diffie-Hellman group 1. Server will pick the first entry from client proposal and will match with its own proposal. If no match, picks the next entry from client proposal and so on. If no match found, the connection will be rejected. The support is added to ExtremeXOS SSH server and client as well.