Jump to content

Support for DH2048 (and better)

Recommended Posts

Looks like SSH module used for password resets (at least for Cisco switches) only support DH1024, when i.e. switch requires DH2048 pass validation or reset fails. Tested on Cisco Catalyst 2960X, fw 15.2(4)E9.


Switch config:
ip ssh dh min size 2048

Switch Log:

%SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server


Passwordstate log:
A manual Account Heartbeat check failed to validated the password for account admin (<pass list>) of Account Type 'Cisco IOS' on Host <IP>. Error = Failed to validate password for account '<login>' on Host '<IP>'. Error = Exception calling "Connect" with "0" argument(s): "An established connection was aborted by the server."


Link to comment
Share on other sites

  • 2 weeks later...

For anyone reading this, we worked with Michal over email and discovered that the Cisco Validation script was using a different library to a majority of our SSH scripts.  We've now migrated this script using the Chilkat library, and this natively supports DH2048 or better.


You'll need to upgrade Passwordstate to take advantage of this change to at least 8876 or newer.




Link to comment
Share on other sites


  • Create New...