This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dayaana
Contributor
yesterday

Disable diffie-hellman-group14-sha1

Hello everyone! We encountered a strange situation. We wanted to disable the diffie-hellman-group14-sha1 cipher. When we checked if it was active using the command # sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms, it was displayed in the output.

We decided to disable it, according to https://support.checkpoint.com/results/sk/sk172189. We have version 81.10 and according to the instructions, we started editing the file /etc/ssh/templates/sshd_config.templ.

However, we found that this configuration file does not have the diffie-hellman-group14-sha1 cipher in the list of ciphers. We added it to the file manually and put the "-" symbol so that the appearance matches the instructions from the article.

However, after this, diffie-hellman-group14-sha1 was still present in the output of # sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms.

Does anyone know why this cipher was not in the configuration file, but was shown in the output of # sshd -T -C? How can we properly disable this cipher?

There are no blades enabled on the gateway except fw.

I would be grateful for any help!

0 Kudos
2 Replies
the_rock
Legend
Legend
yesterday

Apologies, did not go through all this myself, but maybe verify if what its listed below from AI copilot is what was done.

Andy

***********************

To disable thediffie-hellman-group14-sha1Key Exchange (KEX) method for SSH on Check Point Gaia OS, follow the appropriate procedure based on your Gaia OS version.

For R81.20 and Higher

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to Gaia Clish mode.
  4. Get the list of the enabled KEX ciphers: 
    show ssh server kex enabled
  5. Disable the unwanted KEX cipher: 
    set ssh server kex diffie-hellman-group14-sha1 off
  6. Save the changes in the Gaia OS database: 
    save config
  7. Log in to the Expert mode.
  8. Restart the SSH service: 
    service sshd restart

For R81.10

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to the Expert mode.
  4. Back up the current/etc/ssh/templates/sshd_config.templfile: 
    cp -v /etc/ssh/templates/sshd_config.templ{,_BKP}
  5. Edit the current/etc/ssh/templates/sshd_config.templfile: 
    vi /etc/ssh/templates/sshd_config.templ
  6. Change+to-for the KexAlgorithms in question: 
    KexAlgorithms -diffie-hellman-group14-sha1
  7. Save the changes in the file and exit Vi editor.
  8. Load the updated template into the Gaia OS database: 
    /bin/sshd_template_xlate < /config/active
  9. Restart the SSH service: 
    service sshd restart
  10. Check if the changes were implemented correctly: 
    sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms
    Example for the username "admin": 
    sshd -T -C 'user=admin,addr=::1' | grep kexalgorithms

For R80.40 and R81 Versions

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to the Expert mode.
  4. Back up the current/etc/ssh/sshd_configfile: 
    cp -v /etc/ssh/sshd_config{,_BKP}
  5. Edit the current/etc/ssh/sshd_configfile: 
    vi /etc/ssh/sshd_config
  6. Set the required Key Exchange method as the value of theKexAlgorithmsparameter: 
    KexAlgorithms -diffie-hellman-group14-sha1
  7. Save the changes in the file and exit Vi editor.
  8. Restart the SSH service: 
    service sshd restart

Please make sure to follow the below mandatory guidelines, to minimize the potential impact of this plan as possible:

  • The kernel debug is a heavy operation (even if it's "light") and might cause a machine to hang or even crash the machine.
  • You must perform this operation only during a maintenance window due to the high impact this operation might have.
  • Be sure to have a console connection available in case the machine hangs.
  • Validate before and after the operation that the state of the machine is stable (no high CPU, etc).

If you encounter any issues or need further assistance, please refer to the relevant documentation or open a ticket in the Check Point Support Center at support.checkpoint.com.

BE AWARE
Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.
Learn more:
  1. sk172189 - How to modify the Key Exchange (KEX) "diffie-hellman-X" methods for SSH
  2. sk180971 - L2TP / StrongSwan clients disconnect after upgrade to R81.10
  3. R81.20 Gaia Administration Guide (Japanese) - Advanced-Gaia-Configuration
  4. R80.40 Site to Site VPN Administration Guide - IPsec-and-IKE
  5. sk171332 - SSH Encryption Protocols and Message Authentication Codes supported in Gaia Embedded R80....
  6. Harmony SASE Administration Guide - WatchGuard
  7. R81.10 Remote Access VPN Administration Guide - Remote-Access-Advanced-Configuration
  8. R80.40 Remote Access VPN Administration Guide - Remote-Access-Advanced-Configuration
Dayaana
Contributor
yesterday
In response to the_rock

Thank you very much for the answer! This is exactly what we did, this text corresponds to the instruction from sk172189, according to which we tried to make changes.

However, what we saw did not look like the instruction. We did not find a line containing diffie-hellman-group14-sha1 in the file /etc/ssh/templates/sshd_config.templ, so we added the line KexAlgorithms -diffie-hellman-group14-sha1 manually.

At the same time, in the output of the command sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms, this cipher was displayed both before and after the changes.

Do you know the reason why this happens?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events