VNX: Qualsys scan detects QID 38738 - SSH Server Public Key Too Small
Summary: VNX: Qualsys scan detects QID 38738 - SSH Server Public Key Too Small (User Correctable)
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Qualsys scan detects the following QID:
QID 38738 - SSH Server Public Key Too Small:
"THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The SSH Server is using a small Public Key. Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated. For more information, please refer to NIST Special Publication 800-131A (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).
Only server keys that are not part of a certificate are reported in this QID. OpenSSH certificates using short keys are reported in QID 38733. X.509 certificates using short keys are reported in QID 38171.
SOLUTION: DSA keys and RSA keys shorter than 2048 bits are considered vulnerable. It is recommended to install a RSA public key length of at least 2048 bits or greater, or to switch to ECDSA or EdDSA."
Cause
The VNX control station uses a 2048 bit RSA key, but the DSA key is 1024 bits.
Resolution
Looking at the control station keys under /etc/ssh/sshd_config we can see that the RSA public key and private key have a 2048 bit signature:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 57:4e:5e:4f:3a:94:f6:3f:84:81:18:5c:b1:72:3b:b4 ssh_host_rsa_key.pub (RSA)
ssh-keygen -lf ssh_host_rsa_key.pub
2048 57:4e:5e:4f:3a:94:f6:3f:84:81:18:5c:b1:72:3b:b4 ssh_host_rsa_key.pub (RSA)
However the DSA key is only 1024 bits long:
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key
1024 2d:b9:e3:e0:64:e2:5f:18:3c:8f:e5:4e:18:3a:87:cd ssh_host_dsa_key.pub (DSA)
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
1024 2d:b9:e3:e0:64:e2:5f:18:3c:8f:e5:4e:18:3a:87:cd ssh_host_dsa_key.pub (DSA)
DSA keys above 1024 bits are not supported, the solution would normally be to disable DSA based keys on the server. However in our case this is not possible because of the older OpenSSH version running on the control station. The option to disable DSA on the server side is HostKeyAlgorithms, and it is not present in the version of OpenSSL running on the control station.
This key is not used for client/server authentication and cant be used to decrypt traffic. Its only used to verify host authenticity through known_hosts and assist in establishing the initial handshake. This is not considered a vulnerability and there are no current plans to upgrade openSSL to a version that would support the HostKeyAlgorithms option. At the moment there is no way to disable the DSA host key on the control station's SSH server so there is no way to mitigate the cause of the scan detecting the smaller key.
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 57:4e:5e:4f:3a:94:f6:3f:84:81:18:5c:b1:72:3b:b4 ssh_host_rsa_key.pub (RSA)
ssh-keygen -lf ssh_host_rsa_key.pub
2048 57:4e:5e:4f:3a:94:f6:3f:84:81:18:5c:b1:72:3b:b4 ssh_host_rsa_key.pub (RSA)
However the DSA key is only 1024 bits long:
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key
1024 2d:b9:e3:e0:64:e2:5f:18:3c:8f:e5:4e:18:3a:87:cd ssh_host_dsa_key.pub (DSA)
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
1024 2d:b9:e3:e0:64:e2:5f:18:3c:8f:e5:4e:18:3a:87:cd ssh_host_dsa_key.pub (DSA)
DSA keys above 1024 bits are not supported, the solution would normally be to disable DSA based keys on the server. However in our case this is not possible because of the older OpenSSH version running on the control station. The option to disable DSA on the server side is HostKeyAlgorithms, and it is not present in the version of OpenSSL running on the control station.
This key is not used for client/server authentication and cant be used to decrypt traffic. Its only used to verify host authenticity through known_hosts and assist in establishing the initial handshake. This is not considered a vulnerability and there are no current plans to upgrade openSSL to a version that would support the HostKeyAlgorithms option. At the moment there is no way to disable the DSA host key on the control station's SSH server so there is no way to mitigate the cause of the scan detecting the smaller key.
Affected Products
VNX2 SeriesProducts
VNX VG10, VNX VG2, VNX VG50, VNX VG8, VNX1 Series, VNX2 Series, VNX5200, VNX5300, VNX5400, VNX5500, VNX5600, VNX5700, VNX5800, VNX7500, VNX7600Article Properties
Article Number: 000056369
Article Type: Solution
Last Modified: 03 Mar 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.