Connectrix Brocade: SHA1 deprecated setting for SSH vulnerability

Summary: SHA1 deprecated setting for SSH vulnerability.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

No SHA1 ciphers are present in seccryptocfg output. But the security scan still marks this vulnerability. 
 

/fabos/link_abin/seccryptocfg --show:
SSH Crypto:
SSH Cipher               : aes128-ctr,aes192-ctr,aes256-ctr
SSH Kex                  : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
SSH MAC                  : hmac-sha2-256,hmac-sha2-512
TLS Ciphers:
HTTPS                    : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
HTTPS_TLS_v1.3           : TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
RADIUS                   : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
LDAP                     : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SYSLOG                   : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
TLS Protocol:
HTTPS                    : Any
RADIUS                   : Any
LDAP                     : Any
SYSLOG                   : Any
--- Truncated ---

 

Cause

In FOS versions prior to FOS 9.2.2, RSA SSH hostkey/pubkey use a hashing algorithm (SHA1) which is no longer considered adequately strong and commonly reported as a potential vulnerability by scanning tools (such as Qualys).

While users can generate and use ECDSA SSH hostkey/pubkey instead of RSA, FOS v9.2.2 is enhanced to allow the admin to configure SSH HostkeyAlgorithms and PubkeyAlgorithms for SSH connections to/from FOS and allow stronger RSA hostkey/pubkey using the command seccryptocfg.
 

Resolution

Upgrade the switch to FOS 9.2.2.

The cryptographic templates in FOS v9.2.2 are updated with "HostKeyAlgorithms" and "PubKeyAlgorithms" key entries under SSH.

Example for platforms shipping with FOS v9.2.2 from factory:
 

seccryptocfg --show
SSH Crypto:
SSH Cipher : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-
cbc,aes256-cbc
SSH Kex : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffiehellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-
sha1
SSH MAC : hmac-sha2-256,hmac-sha2-512
SSH HostkeyAlg :rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521
SSH PubkeyAlg :rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521
TLS Ciphers:
------Truncated---------

 

So, the new attributes "HostkeyAlg" and "PubkeyAlg" are available with the command 'seccryptocfg --apply' to configure platforms upgraded to FOS v9.2.2.
NOTE: When configuring the SSH HostkeyAlgorithms and PubkeyAlgorithms using 'seccryptocfg --apply', the SSH service (in FOS) is restarted to load the new configuration and all the existing SSH sessions on the current CP as well as on the standby CP (in chassis) will be terminated.

Example:

seccryptocfg --apply -group SSH -attr HostkeyAlg -value ‘rsa-sha2-512,rsa-sha2-256,ecdsasha2-nistp521’
seccryptocfg --apply -group SSH -attr PubkeyAlg -value ‘rsa-sha2-512,rsa-sha2-256,ecdsasha2-nistp521’

 

Products

Connectrix B-Series Hardware, Connectrix ED-DCX6-8B
Article Properties
Article Number: 000330885
Article Type: Solution
Last Modified: 12 Jun 2025
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.