topic Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work in Firewall and Security Management

Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

checkpointer — Wed, 06 Oct 2021 12:56:45 GMT

Hi guys,

Can you help me with this please?

Trying to follow sk165685 but command does not work on r80.20.

Regards,

Checkpointer

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

G_W_Albrecht — Wed, 06 Oct 2021 13:12:07 GMT

I assume this does work in R80.40 / R81 only, as it reads: In R80.40, openSSL and openSSH were upgraded.

Then the command ssh -Q options are listed...

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

checkpointer — Wed, 06 Oct 2021 13:26:00 GMT

Thanks GW, is there any other way you might know of to get the information around supported MAC/HMACs in R80.20?

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

G_W_Albrecht — Wed, 06 Oct 2021 13:36:35 GMT

For SSH, the -Q option was added in OpenBSD 5.5 only. Try cat /etc/ssh/ssh_config to read config file 8)

See sk106031: How to change SSH encryption protocols and Message Authentication Code settings also.

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

PhoneBoy — Wed, 06 Oct 2021 14:41:54 GMT

Unfortunately, the underlying components require a newer version of the Linux kernel not present in R80.20.
Upgrade to at least R80.40, which is in wide use by our customers.

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

Bob_Zimmerman — Thu, 07 Oct 2021 13:28:42 GMT

Up until R80.30 GAiA 3.10, Check Point includes OpenSSH 4.3p2, which corresponds to OpenBSD 3.9. Here is the version of the manpage you should use:

https://man.openbsd.org/OpenBSD-3.9/sshd_config

At that time, the only HMACs supported were hmac-md5 and hmac-sha1 (Turns out I was wrong about this. See below.). Of note, MD5 provides plenty of security for an HMAC.

With the move to a newer RHEL base, R80.30 management, R80.40 firewall, and up include OpenSSH 7.8p1, from mid-2018.

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

checkpointer — Thu, 07 Oct 2021 07:35:07 GMT

Hi Bob, thanks for this. What is the source of this information? Can I validate it with any SK's?

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

Bob_Zimmerman — Thu, 07 Oct 2021 13:25:05 GMT

Version is obtained using 'sshd -v'. You can then check the OpenBSD 3.9 release notes, which say it includes OpenSSH 4.3. The manpage above is the OpenBSD 3.9 version of the manpage, though I somehow got the link text wrong. That link goes to sshd_config, which is the correct page. Look for the "MACs" option.

I also misinterpreted something I read elsewhere. OpenSSH 4.3 supports four HMACs: hmac-md5, hmac-sha1, hmac-ripemd160, hmac-sha1-96, hmac-md5-96.

Re: Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

checkpointer — Thu, 07 Oct 2021 13:44:47 GMT

Fantastic, thanks Bob.

I was able to get version with 'rpm -qa | grep ssh', 'sshd -v' didn't work in my (lab) r80.10.

Once again thank you so much for this, I am much obliged to you for answering my question!

Regards,

Checkpointer