- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hello everyone! We encountered a strange situation. We wanted to disable the diffie-hellman-group14-sha1 cipher. When we checked if it was active using the command # sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms, it was displayed in the output.
We decided to disable it, according to https://support.checkpoint.com/results/sk/sk172189. We have version 81.10 and according to the instructions, we started editing the file /etc/ssh/templates/sshd_config.templ.
However, we found that this configuration file does not have the diffie-hellman-group14-sha1 cipher in the list of ciphers. We added it to the file manually and put the "-" symbol so that the appearance matches the instructions from the article.
However, after this, diffie-hellman-group14-sha1 was still present in the output of # sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms.
Does anyone know why this cipher was not in the configuration file, but was shown in the output of # sshd -T -C? How can we properly disable this cipher?
There are no blades enabled on the gateway except fw.
I would be grateful for any help!
The problem was solved by explicitly specifying only the required algorithms in the configuration file.
That is, instead of
-diffie-...
it was necessary to write, for example,
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Apologies, did not go through all this myself, but maybe verify if what its listed below from AI copilot is what was done.
Andy
***********************
To disable thediffie-hellman-group14-sha1Key Exchange (KEX) method for SSH on Check Point Gaia OS, follow the appropriate procedure based on your Gaia OS version.
show ssh server kex enabled
set ssh server kex diffie-hellman-group14-sha1 off
save config
service sshd restart
/etc/ssh/templates/sshd_config.templfile:
cp -v /etc/ssh/templates/sshd_config.templ{,_BKP}
/etc/ssh/templates/sshd_config.templfile:
vi /etc/ssh/templates/sshd_config.templ
+to-for the KexAlgorithms in question:
KexAlgorithms -diffie-hellman-group14-sha1
/bin/sshd_template_xlate < /config/active
service sshd restart
sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms
Example for the username "admin":
sshd -T -C 'user=admin,addr=::1' | grep kexalgorithms
/etc/ssh/sshd_configfile:
cp -v /etc/ssh/sshd_config{,_BKP}
/etc/ssh/sshd_configfile:
vi /etc/ssh/sshd_config
KexAlgorithmsparameter:
KexAlgorithms -diffie-hellman-group14-sha1
service sshd restart
Please make sure to follow the below mandatory guidelines, to minimize the potential impact of this plan as possible:
If you encounter any issues or need further assistance, please refer to the relevant documentation or open a ticket in the Check Point Support Center at support.checkpoint.com.
Thank you very much for the answer! This is exactly what we did, this text corresponds to the instruction from sk172189, according to which we tried to make changes.
However, what we saw did not look like the instruction. We did not find a line containing diffie-hellman-group14-sha1 in the file /etc/ssh/templates/sshd_config.templ, so we added the line KexAlgorithms -diffie-hellman-group14-sha1 manually.
At the same time, in the output of the command sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms, this cipher was displayed both before and after the changes.
Do you know the reason why this happens?
On R82 here's what I did for SSH:
set ssh server cipher 3des-cbc off
set ssh server cipher aes128-cbc off
set ssh server cipher aes128-ctr off
set ssh server cipher [email protected] on
set ssh server cipher aes192-cbc off
set ssh server cipher aes192-ctr off
set ssh server cipher aes256-cbc off
set ssh server cipher aes256-ctr off
set ssh server cipher [email protected] on
set ssh server cipher [email protected] off
set ssh server cipher [email protected] off
set ssh server mac [email protected] off
set ssh server mac [email protected] off
set ssh server mac hmac-sha1 off
set ssh server mac [email protected] off
set ssh server mac [email protected] off
set ssh server mac hmac-sha2-256 on
set ssh server mac [email protected] on
set ssh server mac hmac-sha2-512 on
set ssh server mac [email protected] on
set ssh server mac [email protected] off
set ssh server mac [email protected] off
set ssh server mac [email protected] off
set ssh server mac [email protected] off
set ssh server kex curve25519-sha256 on
set ssh server kex [email protected] on
set ssh server kex diffie-hellman-group1-sha1 off
set ssh server kex diffie-hellman-group14-sha1 off
set ssh server kex diffie-hellman-group14-sha256 on
set ssh server kex diffie-hellman-group16-sha512 on
set ssh server kex diffie-hellman-group18-sha512 on
set ssh server kex diffie-hellman-group-exchange-sha1 off
set ssh server kex diffie-hellman-group-exchange-sha256 on
set ssh server kex ecdh-sha2-nistp256 on
set ssh server kex ecdh-sha2-nistp384 on
set ssh server kex ecdh-sha2-nistp521 on
set ssh server public-key ecdsa-sha2-nistp256 on
set ssh server public-key [email protected] on
set ssh server public-key ecdsa-sha2-nistp384 on
set ssh server public-key [email protected] on
set ssh server public-key ecdsa-sha2-nistp521 on
set ssh server public-key [email protected] on
set ssh server public-key rsa-sha2-256 on
set ssh server public-key [email protected] on
set ssh server public-key rsa-sha2-512 on
set ssh server public-key [email protected] on
set ssh server public-key ssh-dss off
set ssh server public-key [email protected] off
set ssh server public-key ssh-ed25519 on
set ssh server public-key [email protected] on
set ssh server public-key ssh-rsa on
set ssh server public-key [email protected] on
The result reported is:
> show ssh server cipher enabled
--------------------------------
enabled cipher:
--------------------------------
[email protected]
[email protected]
> show ssh server kex enabled
--------------------------------
enabled kex:
--------------------------------
curve25519-sha256
[email protected]
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
> show ssh server mac enabled
--------------------------------
enabled mac:
--------------------------------
hmac-sha2-256
[email protected]
hmac-sha2-512
[email protected]
> show ssh server public-key enabled
--------------------------------
enabled public-key:
--------------------------------
ecdsa-sha2-nistp256
[email protected]
ecdsa-sha2-nistp384
[email protected]
ecdsa-sha2-nistp521
[email protected]
rsa-sha2-256
[email protected]
rsa-sha2-512
[email protected]
ssh-ed25519
[email protected]
ssh-rsa
[email protected]
Not sure if there are any further recommendations to lock down SSH.
The problem was solved by explicitly specifying only the required algorithms in the configuration file.
That is, instead of
-diffie-...
it was necessary to write, for example,
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Glad you got it working. I tested below what I sent you yesterday and worked in both R81.20 and R82, no issues.
Andy
show ssh server kex enabled
set ssh server kex diffie-hellman-group14-sha1 off
save config
service sshd restart
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 23 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Tue 07 Jul 2026 @ 05:00 AM (IDT)
Check Point Cloud Firewall – The Cloud Firewall with near 100% Zero-Day Prevention Build In (SEAK)Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityTue 07 Jul 2026 @ 05:00 AM (IDT)
Check Point Cloud Firewall – The Cloud Firewall with near 100% Zero-Day Prevention Build In (SEAK)Thu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY