Community Home > Airheads Community Knowledge Base > Support Knowledge Base > Knowledge Base Knowledge Base > Aruba Support KBs Knowledge Base > Monitoring, Management & Location Tracking > How to disable SSH cipher/ MAC algorithms

Monitoring, Management & Location Tracking

How to disable SSH cipher/ MAC algorithms

MVP
MVP
‎03-29-2017 03:07 AM

Requirement:

Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:

arcfour
arcfour128
arcfour256

Below are some of the Message Authentication Code (MAC) algorithms:

hmac-md5
hmac-md5-96
hmac-sha1-96



Solution:

Based on the SSH scan result you may want to disable these encryption algorithms or ciphers. 

But before that you could check the current allowed ciphers using the command below: 

# sshd -T | grep "\(ciphers\|macs\)"



Configuration:

You could disable the Ciphers using the command below: 

# vi /etc/ssh/sshd_config

Press key ‘i’ to insert copy the lines below to the end of the file.

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com

 

Now save the file by pressing keys ‘Esc’ => ’:’ => ‘wq!’

 

Then restart the sshd service:

# service sshd restart

 



Verification

You could run the command again to verify allowed ciphers:

# sshd -T | grep "\(ciphers\|macs\)"

 

This would only show the allowed algorithms now. 

Version history
Revision #:
4 of 4
Last update:
‎09-09-2019 09:00 AM
Updated by:
Moderator Moderator
 
View article history
Labels (1)
Labels:
Contributors
0 Kudos
Was this article helpful? Yes No
Comments
BigBadBugbee
‎06-04-2017 07:16 PM
‎06-04-2017 07:16 PM

How is this done with Airwave AMP 8.2.4, where the shell CLI is no longer available?

MadM11
‎08-30-2018 11:45 AM
‎08-30-2018 11:45 AM

Within the Cli on the device (Switch cli)

sign in and type config then type the following commands

sh ip ssh

no ip ssh cipher Commandbelow 

aes128-cbc

3des-cbc

aes192-cbc

aes256-cbc

aes128-ctr

aes192-ctr

rijndael-cbc@lysator.liv.se

 

no ip ssh mac Commandbelow

hmac-md5

hmac-md5-96

hmac-sha1

hmac-sha1-96

cyclesam
‎06-21-2019 10:48 AM
‎06-21-2019 10:48 AM

I followed the instructions, but using the algo's I needed to disable.

kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
ciphers 3des-cbc, blowfish-cbc, cast128-cbc
macs hmac-sha1, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com

And now I can no longer access my SSH, and without access to SSH I can't even undo the changes, how can I fix this please? Other than deleting my server and losing 5 days of work.SSH.jpg

Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Related Solutions

  • No solutions within this category

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium