Security Scanner Reports a "potentially weak key exchange algorithm" for Sun Secure Shell (ssh)
(Doc ID 1223914.1)
Last updated on APRIL 11, 2023
Applies to:
Solaris Operating System - Version 9 to 11.4 [Release 9.0 to 11.0]Information in this document applies to any platform.
Symptoms
A security scanner reports a "potentially weak key exchange algorithm".
The particular scanner report reads as follows:
Description:
The target Secure Shell 2 (SSH2) server supports a potentially weak key
exchange algorithm.
Observation:
The Secure Shell 2 (SSH2) protocol is a presentation layer protocol used to
provide secure client-server communication. The SSH2 protocol specification
requires that a SSH2 server support the diffie-hellman-group1-sha1 key exchange
algorithm. This key exchange algorithm is considered strong, but faces a
potential weakness in that the same prime number is used for all key exchanges.
An alternative key exchange algorithm, diffie-hellman-exchange-group-sha1,
provides enhanced security by allowing for the prime number to be specified
during key exchange.
Recommendation:
The server should be configured not to support the diffie-hellman-group1-sha1
algorithm if possible. Consult your vendor's documentation.
The target Secure Shell 2 (SSH2) server supports a potentially weak key
exchange algorithm.
Observation:
The Secure Shell 2 (SSH2) protocol is a presentation layer protocol used to
provide secure client-server communication. The SSH2 protocol specification
requires that a SSH2 server support the diffie-hellman-group1-sha1 key exchange
algorithm. This key exchange algorithm is considered strong, but faces a
potential weakness in that the same prime number is used for all key exchanges.
An alternative key exchange algorithm, diffie-hellman-exchange-group-sha1,
provides enhanced security by allowing for the prime number to be specified
during key exchange.
Recommendation:
The server should be configured not to support the diffie-hellman-group1-sha1
algorithm if possible. Consult your vendor's documentation.
Changes
The ER (Enhanement Request) that provides this support in Oracle Solaris is:
from Patch ID: 117177-02 - in Solaris 9.
SunSSH in Solaris 10 and 11 already have support for the diffie-hellman-exchange-group-sha1 algorithm so no patch is required on these hosts.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |