https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/92645#M10780 <P>We're needing to tighten up our SSH settings if possible.</P><P>These two lines have been set in /etc/ssh/sshd_config and are producing the expected results.</P><P>Ciphers aes256-ctr,aes192-ctr,aes128-ctr<BR />MACs hmac-sha1</P><P>However, trying to set the key exchange algorithms with this does not work:</P><P>KexAlgorithms diffie-hellman-group14-sha1</P><P>I've tried various combos; the actual goal is to disable this one, as it shows up as available: diffie-hellman-group-exchange-sha1</P><P>| ssh2-enum-algos:<BR />| kex_algorithms: (2)<BR />| diffie-hellman-group-exchange-sha1<BR />| diffie-hellman-group14-sha1</P><P>Regardless, the result of trying to set KexAlgorithms in any way is:</P><P>Starting sshd: /etc/ssh/sshd_config: line 89: Bad configuration option: KexAlgorithms<BR />/etc/ssh/sshd_config: terminating, 1 bad configuration options<BR />[FAILED]</P><P>&nbsp;</P><P>I thought CP uses standard OpenSSH, so in theory that option should work correct?</P><P>We're on R80.10 if that matters. Anyone have any ideas? Thanks!</P> Tue, 28 Jul 2020 15:38:06 GMT cvega-nrel 2020-07-28T15:38:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/92645#M10780 <P>We're needing to tighten up our SSH settings if possible.</P><P>These two lines have been set in /etc/ssh/sshd_config and are producing the expected results.</P><P>Ciphers aes256-ctr,aes192-ctr,aes128-ctr<BR />MACs hmac-sha1</P><P>However, trying to set the key exchange algorithms with this does not work:</P><P>KexAlgorithms diffie-hellman-group14-sha1</P><P>I've tried various combos; the actual goal is to disable this one, as it shows up as available: diffie-hellman-group-exchange-sha1</P><P>| ssh2-enum-algos:<BR />| kex_algorithms: (2)<BR />| diffie-hellman-group-exchange-sha1<BR />| diffie-hellman-group14-sha1</P><P>Regardless, the result of trying to set KexAlgorithms in any way is:</P><P>Starting sshd: /etc/ssh/sshd_config: line 89: Bad configuration option: KexAlgorithms<BR />/etc/ssh/sshd_config: terminating, 1 bad configuration options<BR />[FAILED]</P><P>&nbsp;</P><P>I thought CP uses standard OpenSSH, so in theory that option should work correct?</P><P>We're on R80.10 if that matters. Anyone have any ideas? Thanks!</P> Tue, 28 Jul 2020 15:38:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/92645#M10780 cvega-nrel 2020-07-28T15:38:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/92657#M10781 <P>R80.10 is using an older version of OpenSSH which may not support those options.<BR />This is required due to the older Linux kernel version in R80.10.<BR />When we updated the Linux kernel in R80.40, we also updated OpenSSH and many other userspace tools.</P> <P>It is not likely we will update OpenSSH in versions prior to R80.40.</P> Tue, 28 Jul 2020 18:18:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/92657#M10781 PhoneBoy 2020-07-28T18:18:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/112271#M15576 <P>Did you find a solution to this ?&nbsp;</P> Tue, 02 Mar 2021 13:01:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/112271#M15576 LostBoY 2021-03-02T13:01:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/112291#M15584 <P>SecurePlatform and GAiA versions with the 2.6 kernel (I think all firewalls from R65 through R80.40 and all managements from R65 through R80.30) have OpenSSH&nbsp;<SPAN>4.3p2. That version is too old to support configurable key exchange protocols. You have to upgrade to a newer OS version (R80.40 or R81) to get the newer kernel (3.10) and newer OpenSSH (now 7.8p1). Once you have upgraded, KexAlgorithms should be a valid option in the sshd_config.</SPAN></P> Tue, 02 Mar 2021 15:36:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-key-exchange-algorithms/m-p/112291#M15584 Bob_Zimmerman 2021-03-02T15:36:32Z