Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[BTI] RSA Key Algorithm, Cipher and MAC support for BTI7800 series

0

0

Article ID: KB34658 KB Last Updated: 21 Jun 2019Version: 1.0
Summary:

The article describes the key algorithms, ciphers, MACs and key-exchange types supported by the BTI Series 7800 (7801, 7802, 7814), and describes how to verify which types are being used when establishing an SSH session. 

Support for the RSA key algorithm has been added in BTI Series 7800 version 4.5.

Symptoms:

For SSH (secure shell) connections to BTI Series 7800 version 4.4 and earlier, the key algorithm is limited to DSS/DSA. While the RSA key algorithm is not supported until version 4.5, a session established using the DSA key algorithm is still considered secure as long as a strong cipher, MAC and key-exchange is used.

In the trace below, a secure shell connection is established to a BTI Series 7800 running version 4.4. The SSH client selected ssh-dss (aka DSA key algorithm), cipher aes256-ctr, MAC sha2-512, and diffie-hellman-group14-sha1 key exchange.

[LOCAL] : SSH2Core version 7.2.0.415
[LOCAL] : Connecting to 10.228.30.80:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
 ---output TRUNCATED---
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss

[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-cbc
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-cbc
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha2-512
 --output TRUNCATED--
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded
Welcome to BTI 7800 CLI
admin connected from 10.104.40.90 using ssh on scm1


Note: Concerns about the DSA key algorithm are typically due its key length, which can be limited to 1024 bits. However some SSH clients have since been updated to allow for DSA key lengths up to 2048 bits.
 

Solution:

For RSA key algorithm support, upgrade to BTI Series 7800 version 4.5. The version of the SSH server has been updated in the system OS.

In the trace below, a secure shell connection is established to a BTI Series 7800 running version 4.5. The 7800's SSH server is presenting two available Host Key Algorithms -- ssh rsa, ssh-dss. The SSH client has selected ssh-rsa (aka RSA key algorithm), cipher aes256-ctr, MAC sha2-512, and diffie-hellman-group14-sha1 key exchange.

[LOCAL] : SSH2Core version 7.2.0.415
[LOCAL] : Connecting to 10.228.30.80:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
 ---output Truncated---
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-rsa

[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-cbc
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-cbc
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha2-512
 ---output TRUNCATED---
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded
Welcome to BTI 7800 CLI
admin connected from 10.104.40.104 using ssh on scm2

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search