Unsolved
3 Posts
0
878
N3048ET-ON Key exchange
Hi
I would like to modify the key-exchange on the switch to remove vulnerabilities such as diffie-hellman-group1-sha1
I see in general N3000 guides that I could be able to run something like "ip ssh server kex.." to set what I want.
In practice however I cannot find this command - I have very limited options with SSH I can basically just turn it off or on.
I am running firmware 6.6.0.32 , and again its an N3048ET-ON
Any ideas?
Thanks
DELL-Josh Cr
Moderator
Moderator
•
8.5K Posts
0
August 2nd, 2019 07:00
Hi,
Page 1148 https://downloads.dell.com/manuals/common/n-series_cli_660_en-us.pdf The crypto key generate commands allow you to change the key.
j1Sh
3 Posts
0
August 2nd, 2019 13:00
Thanks Josh.
But I don't believe this will limit the key-exchange, just change the key itself. Am I incorrect?
I don't see any way to manipulate ciphers either. Right now the switch just allows everything, regardless of vulnerability status.
DELL-Josh Cr
Moderator
Moderator
•
8.5K Posts
0
August 2nd, 2019 15:00
Right, I don’t see a command to change with algorithms are used.
j1Sh
3 Posts
0
August 3rd, 2019 14:00
Hrm, well thanks for double checking. The enabled key-exchanges are marked as a PCI vulnerability by Qualys. I find it difficult to allow these switches onto our network if there is no way to modify this. Seems like just the Dell Force switches allow this...