Wired Intelligent Edge

Hello,

I try to harden the security of my Aruba 2930F switch by disabling SHA-1 and enabling SHA-256.

SW01(config)# password non-plaintext-sha256
SW01(config)# password manager user-name admin sha256 [PASSWORD-STR]

When I try to logon from the client machine running Linux with OpenSSH legacy SHA-1 deactivated, I get:

$ ssh admin@10.10.10.10
Unable to negotiate with 10.0.16.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

I did follow the ArubaOS Hardening Guide here but I may had missed something.

Hi valentin,

 

the first command is for store password on the switch..

 

the hardening guide is for Aruba OS Mobility Controller

 

I not sure it is is possible to change the cipher for SSH on ArubaOS switch...

HW HPE 2530-48 ver YB.16.10.0010

 

ArubaOS-Switch Hardening Guide for 16.06.pdf p19 shown I can create a user with sha256
switch(config)# password manager user-name localadmin sha256 95d30169a59c418b52013315fc81bc99fdf0a7b03a116f346ab628496f349ed5

but I can't find sha256, only sha1 in my switch

# password manager user-name admin
aging-period Configures the password aging time for a user.
clear-history-record Clears the history of the password for a user.
min-pwd-length Configures the minimum password length for a user.
plaintext Enter a plaintext password.
sha1 Enter a SHA-1 password hash.

How to enable user sha256
It is easy to decrypt sha1

tq

Hi! have you tried to first enable password storage as encrypted using SHA-256 through the command password non-plaintext-sha256 ? Me too haven't found the sha256 option.

There is no "password non-plaintext-sha256" command

HP-2530-24(config)# password non-plaintext-sha256
Invalid input: non-plaintext-sha256

You need to be running a KB edition of ArubaOS to have the 'password non-plaintext-sha256' command available.  Run 'show version' to see which edition and version of the OS you are running.

If you're running a KB edition, remove the SHA1 users, add 'password non-plaintext-sha256' to your config, then add the sha256 users & hashes.

------------------------------
Shawn Southern
------------------------------

Original Message:
Sent: Sep 19, 2020 09:16 PM
From: Nawir Bunai
Subject: Password configured with sha256 option not working

There is no "password non-plaintext-sha256" command

HP-2530-24(config)# password non-plaintext-sha256
Invalid input: non-plaintext-sha256

In order to enable SHA256 hashes for passwords, you have to be running a KB version of the OS, in order to use 'password non-plaintext-sha256'.  I'm running KB.16.09.0015 to test this on an out-of-the-box switch.

If you're running a KB switch software version, you can have this in your config:
password operator user-name "operatoruser" sha256 "sha256 hash here"
password manager user-name "manageruser" sha256 "sha256 hash here"
password non-plaintext-sha256

------------------------------
Shawn Southern
------------------------------

Original Message:
Sent: Feb 20, 2020 03:44 PM
From: Valentin Voica
Subject: Password configured with sha256 option not working

Hello,

I try to harden the security of my Aruba 2930F switch by disabling SHA-1 and enabling SHA-256.

SW01(config)# password non-plaintext-sha256SW01(config)# password manager user-name admin sha256 [PASSWORD-STR]

When I try to logon from the client machine running Linux with OpenSSH legacy SHA-1 deactivated, I get:

$ ssh admin@10.10.10.10Unable to negotiate with 10.0.16.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

I did follow the ArubaOS Hardening Guide here but I may had missed something.