Support for Enabling Specific Ciphers and MAC for SSH

MVP
MVP
Requirement:

Does Aruba Support enabling Specific Ciphers and MAC for SSH ?



Solution:

ArubaOS supports the following cipher encryptions and MAC algorithms for SSH authentication on the controller:

1. AES-CBC (cipher)
2. AES-CTR (cipher)
3. HMAC-SHA1 (MAC)
4. HMAC-SHA1-96 (MAC)

By default, all the algorithms are enabled in ArubaOS.

Starting from ArubaOS 6.5.4.4, the controller allows you to enable or disable a specific cipher or the HMAC-SHA1-96 authentication algorithm by using the WebUI or the CLI.



Configuration:

 

WebUI:

1. Navigate to the Configuration > Management > General page.
2. Under SSH (Secure Shell) Authentication Method > Encryption, select AES-CBC, AES-CTR, or Both.

3. Under SSH (Secure Shell) Authentication Method > Authentication, select HMAC-SHA1-96.

CLI:

(Aruba) (config) #ssh disable-ciphers ?
aes-cbc                 Disable AES-CBC. AES-CTR will be enabled.
aes-ctr                 Disable AES-CTR. AES-CBC will be enabled.

 

(local2) (config) #ssh disable-mac ?
hmac-sha1-96            Disable hmac-sha1-96.
 



Verification

 

1. Default SSH Configuration:

(Aruba) (config) #show ssh

SSH Settings:
-------------
DSA                                                            Enabled
Mgmt User Authentication Method     username/password
Ciphers                                                      aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs                                                          hmac-sha1,hmac-sha1-96
 

As per pcap, Server: Key exchange Init shows the following :

2. We will disable one of the ciphers & mac as shown below :


(Aruba) (config) #ssh disable-mac hmac-sha1-96
(Aruba) (config) #ssh disable-ciphers aes-cbc
(Aruba) (config) #show ssh

SSH Settings:
-------------
DSA                                                            Enabled
Mgmt User Authentication Method     username/password
Ciphers                                                      aes128-ctr,aes192-ctr,aes256-ctr
MACs                                                         hmac-sha1
 

As per pcap, Server: Key exchange Init shows that aes-cbc & hmac-sha1-96 is no longer enabled.

Version history
Revision #:
2 of 2
Last update:
‎11-06-2018 03:37 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: