Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

OpenSSH Upgrade and Increased support for Diffie-Hellman Groups

OpenSSH server and client is upgraded from 6.5p1 to 7.5p1.

Support for key exchange algorithms diffie-hellman-group14-sha256 (2,048 bits), diffie-hellman-group16-sha512 (4,096 bits), and diffie-hellman-group18-sha512 (8,192 bits) is added.

Earlier versions of ExtremeXOS had all supported algorithms configured by default; for ExtremeXOS 22.5, several weaker algorithms are disabled by default, which can be re-enabled if desired.

The following SSH parameters are enabled by default:

In Default mode:
  • Ciphers: aes128-ctr, aes192-ctr, aes256-ctr, chacha20-poly1305@openssh.com
  • MACs: hmac-sha1-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1, hmac-sha2-256, hmac-sha2-512
In Default, FIPS, and Secure mode:
  • Key exchange algorithms: Diffie-Hellman groups 14 (2,048 bits), 16 (4,096 bits), 18 (8192 bits)
  • User key algorithms: ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss

The following algorithms are disabled by default in ExtremeXOS 22.5:

In Default mode;
  • Ciphers: 3des-cbc, blowfish-cbc, aes128-cbc, aes192-cbc, aes256-cbc, cast128-cbc, rijndael-cbc@lysator.liu.se, arcfour, arcfour128, arcfour256
  • MACs: hmac-md5, hmac-md5-96, hmac-md5-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96, hmac-sha1-96-etm@openssh.com
  • Key exchange algorithms: diffie-hellman-group1-sha1 (1,024 bits)
In Default, FIPS, and Secure mode:
  • Key exchange algorithms: diffie-hellman-group1-sha1 (1,024 bits)
  • User key algorithms: ssh-dss

Upgrading to ExtremeXOS 22.5 and Later

When upgrading from earlier releases to ExtremeXOS 22.5, supported ciphers, MACs, public key algorithms are inherited from the earlier releases.

Note

Note

DSA (ssh-dss) related host key algorithms are not supported in both server and client in ExtremeXOS 22.5 and later. However, for backward compatibility, it is supported in the server after an upgrade to ExtremeXOS and later if DSA host key is present in the earlier release.

Supported Platforms

Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X870, X620, X690 series switches.

Changed CLI Commands

Changes are underlined.

configure ssh2 dh-group minimum [1 | 14 |16 |18]

The following show command is changed to show the new Diffie-Hellman groups:

show ssh2

Published January 2019prev | next

Email this topicEmail this topic

Print this pagePrint this page