Cisco Bug: CSCvt25301 - SSH is using to small of a Public Key for dss certificate(1024 bits)
Apr 29, 2020
- Cisco Emergency Responder
Known Affected Releases
Symptom: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The SSH Server is using a small Public Key. Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated. For more information, please refer to NIST Special Publication 800-131A (<a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf" target="_blank" rel="nofollow">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf</a>). Nmap results sudo nmap --script ssh2-enum-algos 10.10.2.12 -p 22 Starting Nmap 5.51 ( http://nmap.org ) at 2019-01-23 18:53 GMT Nmap scan report for 10.10.2.12 Host is up (0.00057s latency). PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms (3) | diffie-hellman-group14-sha1 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group-exchange-sha1 | server_host_key_algorithms (2) | ssh-rsa | ssh-dss <============== Certificate that is to small | encryption_algorithms (6) | aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | aes192-cbc | aes256-cbc | mac_algorithms (1) | hmac-sha1 | compression_algorithms (2) | none |_ firstname.lastname@example.org Possible Solution: Update /etc/sysconfig/sshd and update this value: AUTOCREATE_SERVER_KEYS=YES to AUTOCREATE_SERVER_KEYS=RSAONLY restart ssh service Conditions: Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. 1024 lenght is deprecated.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases