Jump to content
Michal Malinsky

Support for DH2048 (and better)

Recommended Posts

Looks like SSH module used for password resets (at least for Cisco switches) only support DH1024, when i.e. switch requires DH2048 pass validation or reset fails. Tested on Cisco Catalyst 2960X, fw 15.2(4)E9.

 

Switch config:
ip ssh dh min size 2048

Switch Log:

%SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server

 

Passwordstate log:
A manual Account Heartbeat check failed to validated the password for account admin (<pass list>) of Account Type 'Cisco IOS' on Host <IP>. Error = Failed to validate password for account '<login>' on Host '<IP>'. Error = Exception calling "Connect" with "0" argument(s): "An established connection was aborted by the server."

 

 

Share this post


Link to post
Share on other sites

For anyone reading this, we worked with Michal over email and discovered that the Cisco Validation script was using a different library to a majority of our SSH scripts.  We've now migrated this script using the Chilkat library, and this natively supports DH2048 or better.

 

You'll need to upgrade Passwordstate to take advantage of this change to at least 8876 or newer.

 

Regards,

Support.

Share this post


Link to post
Share on other sites

×
×
  • Create New...