How to disable obsolete SSH cipher/ MAC algorithms

MVP
MVP
Requirement:

Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:

arcfour
arcfour128
arcfour256

Below are some of the Message Authentication Code (MAC) algorithms:

hmac-md5
hmac-md5-96
hmac-sha1-96



Solution:

Based on the SSH scan result you may want to disable these obsolete encryption algorithms or ciphers. 

But before that you could check the current allowed ciphers using the command below: 

# sshd -T | grep "\(ciphers\|macs\)"



Configuration:

You could disable the Ciphers using the command below: 

# vi /etc/ssh/sshd_config

Press key ‘i’ to insert copy the lines below to the end of the file.

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com

 

Now save the file by pressing keys ‘Esc’ => ’:’ => ‘wq!’

 

Then restart the sshd service:

# service sshd restart

 



Verification

You could run the command again to verify allowed ciphers:

# sshd -T | grep "\(ciphers\|macs\)"

 

This would only show the allowed algorithms now. 

Version history
Revision #:
2 of 2
Last update:
‎03-29-2017 03:07 AM
Updated by:
 
Labels (1)
Contributors
Comments
BigBadBugbee

How is this done with Airwave AMP 8.2.4, where the shell CLI is no longer available?

MadM11

Within the Cli on the device (Switch cli)

sign in and type config then type the following commands

sh ip ssh

no ip ssh cipher Commandbelow 

aes128-cbc

3des-cbc

aes192-cbc

aes256-cbc

aes128-ctr

aes192-ctr

rijndael-cbc@lysator.liv.se

 

no ip ssh mac Commandbelow

hmac-md5

hmac-md5-96

hmac-sha1

hmac-sha1-96

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: