Guest

Preview Tool

Cisco Bug: CSCvt25301 - SSH is using to small of a Public Key for dss certificate(1024 bits)

Last Modified

Apr 29, 2020

Products (1)

  • Cisco Emergency Responder

Known Affected Releases

11.5(1)

Description (partial)

Symptom:
The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another.

The SSH Server is using a small Public Key.

Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated.

For more information, please refer to NIST Special Publication 800-131A (<a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf" target="_blank" rel="nofollow">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf</a>).

Nmap results
sudo nmap --script ssh2-enum-algos 10.10.2.12 -p 22

Starting Nmap 5.51 ( http://nmap.org ) at 2019-01-23 18:53 GMT
Nmap scan report for 10.10.2.12
Host is up (0.00057s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms (3)
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|   server_host_key_algorithms (2)
|       ssh-rsa
|       ssh-dss <============== Certificate that is to small
|   encryption_algorithms (6)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-cbc
|       aes192-cbc
|       aes256-cbc
|   mac_algorithms (1)
|       hmac-sha1
|   compression_algorithms (2)
|       none
|_      zlib@openssh.com

Possible Solution:
Update /etc/sysconfig/sshd and update this value:
AUTOCREATE_SERVER_KEYS=YES
to 
AUTOCREATE_SERVER_KEYS=RSAONLY

restart ssh service

Conditions:
Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. 1024  lenght is deprecated.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.