j1Sh
1 Copper

N3048ET-ON Key exchange

Hi

I would like to modify the key-exchange on the switch to remove vulnerabilities such as diffie-hellman-group1-sha1

I see in general N3000 guides that I could be able to run something like "ip ssh server kex.." to set what I want. 

In practice however I cannot find this command - I have very limited options with SSH I can basically just turn it off or on.

I am running firmware 6.6.0.32 , and again its an N3048ET-ON

Any ideas?

 

Thanks

0 Kudos
4 Replies
Moderator
Moderator

Re: N3048ET-ON Key exchange

Hi,

Page 1148 https://downloads.dell.com/manuals/common/n-series_cli_660_en-us.pdf The crypto key generate commands allow you to change the key.

Thanks,
Josh Craig
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
0 Kudos
j1Sh
1 Copper

Re: N3048ET-ON Key exchange

Thanks Josh.

 

But I don't believe this will limit the key-exchange, just change the key itself. Am I incorrect?

I don't see any way to manipulate ciphers either. Right now the switch just allows everything, regardless of vulnerability status.

 

 

0 Kudos
Moderator
Moderator

Re: N3048ET-ON Key exchange

Right, I don’t see a command to change with algorithms are used.

Thanks,
Josh Craig
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
0 Kudos
j1Sh
1 Copper

Re: N3048ET-ON Key exchange

Hrm, well thanks for double checking. The enabled key-exchanges are marked as a PCI vulnerability by Qualys. I find it difficult to allow these switches onto our network if there is no way to modify this. Seems like just the Dell Force switches allow this...

 

0 Kudos