This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dayaana
Contributor
‎2025-03-03 07:47 AM
Jump to solution

Disable diffie-hellman-group14-sha1

Hello everyone! We encountered a strange situation. We wanted to disable the diffie-hellman-group14-sha1 cipher. When we checked if it was active using the command # sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms, it was displayed in the output.

We decided to disable it, according to https://support.checkpoint.com/results/sk/sk172189. We have version 81.10 and according to the instructions, we started editing the file /etc/ssh/templates/sshd_config.templ.

However, we found that this configuration file does not have the diffie-hellman-group14-sha1 cipher in the list of ciphers. We added it to the file manually and put the "-" symbol so that the appearance matches the instructions from the article.

However, after this, diffie-hellman-group14-sha1 was still present in the output of # sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms.

Does anyone know why this cipher was not in the configuration file, but was shown in the output of # sshd -T -C? How can we properly disable this cipher?

There are no blades enabled on the gateway except fw.

I would be grateful for any help!

0 Kudos
1 Solution

Accepted Solutions
Dayaana
Contributor
‎2025-03-04 04:55 AM
Jump to solution

The problem was solved by explicitly specifying only the required algorithms in the configuration file.
That is, instead of
-diffie-...
it was necessary to write, for example,
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512

View solution in original post

5 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-03-03 10:06 AM
Jump to solution

Apologies, did not go through all this myself, but maybe verify if what its listed below from AI copilot is what was done.

Andy

***********************

To disable thediffie-hellman-group14-sha1Key Exchange (KEX) method for SSH on Check Point Gaia OS, follow the appropriate procedure based on your Gaia OS version.

For R81.20 and Higher

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to Gaia Clish mode.
  4. Get the list of the enabled KEX ciphers: 
    show ssh server kex enabled
  5. Disable the unwanted KEX cipher: 
    set ssh server kex diffie-hellman-group14-sha1 off
  6. Save the changes in the Gaia OS database: 
    save config
  7. Log in to the Expert mode.
  8. Restart the SSH service: 
    service sshd restart

For R81.10

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to the Expert mode.
  4. Back up the current/etc/ssh/templates/sshd_config.templfile: 
    cp -v /etc/ssh/templates/sshd_config.templ{,_BKP}
  5. Edit the current/etc/ssh/templates/sshd_config.templfile: 
    vi /etc/ssh/templates/sshd_config.templ
  6. Change+to-for the KexAlgorithms in question: 
    KexAlgorithms -diffie-hellman-group14-sha1
  7. Save the changes in the file and exit Vi editor.
  8. Load the updated template into the Gaia OS database: 
    /bin/sshd_template_xlate < /config/active
  9. Restart the SSH service: 
    service sshd restart
  10. Check if the changes were implemented correctly: 
    sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms
    Example for the username "admin": 
    sshd -T -C 'user=admin,addr=::1' | grep kexalgorithms

For R80.40 and R81 Versions

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to the Expert mode.
  4. Back up the current/etc/ssh/sshd_configfile: 
    cp -v /etc/ssh/sshd_config{,_BKP}
  5. Edit the current/etc/ssh/sshd_configfile: 
    vi /etc/ssh/sshd_config
  6. Set the required Key Exchange method as the value of theKexAlgorithmsparameter: 
    KexAlgorithms -diffie-hellman-group14-sha1
  7. Save the changes in the file and exit Vi editor.
  8. Restart the SSH service: 
    service sshd restart

Please make sure to follow the below mandatory guidelines, to minimize the potential impact of this plan as possible:

  • The kernel debug is a heavy operation (even if it's "light") and might cause a machine to hang or even crash the machine.
  • You must perform this operation only during a maintenance window due to the high impact this operation might have.
  • Be sure to have a console connection available in case the machine hangs.
  • Validate before and after the operation that the state of the machine is stable (no high CPU, etc).

If you encounter any issues or need further assistance, please refer to the relevant documentation or open a ticket in the Check Point Support Center at support.checkpoint.com.

BE AWARE
Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.
Learn more:
  1. sk172189 - How to modify the Key Exchange (KEX) "diffie-hellman-X" methods for SSH
  2. sk180971 - L2TP / StrongSwan clients disconnect after upgrade to R81.10
  3. R81.20 Gaia Administration Guide (Japanese) - Advanced-Gaia-Configuration
  4. R80.40 Site to Site VPN Administration Guide - IPsec-and-IKE
  5. sk171332 - SSH Encryption Protocols and Message Authentication Codes supported in Gaia Embedded R80....
  6. Harmony SASE Administration Guide - WatchGuard
  7. R81.10 Remote Access VPN Administration Guide - Remote-Access-Advanced-Configuration
  8. R80.40 Remote Access VPN Administration Guide - Remote-Access-Advanced-Configuration
Best,
Andy
Dayaana
Contributor
‎2025-03-03 11:13 PM
In response to the_rock
Jump to solution

Thank you very much for the answer! This is exactly what we did, this text corresponds to the instruction from sk172189, according to which we tried to make changes.

However, what we saw did not look like the instruction. We did not find a line containing diffie-hellman-group14-sha1 in the file /etc/ssh/templates/sshd_config.templ, so we added the line KexAlgorithms -diffie-hellman-group14-sha1 manually.

At the same time, in the output of the command sshd -T -C 'user=<username>,addr=::1' | grep kexalgorithms, this cipher was displayed both before and after the changes.

Do you know the reason why this happens?

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-03-04 03:14 AM
In response to the_rock
Jump to solution

On R82 here's what I did for SSH:
set ssh server cipher 3des-cbc off
set ssh server cipher aes128-cbc off
set ssh server cipher aes128-ctr off
set ssh server cipher aes128-gcm@openssh.com on
set ssh server cipher aes192-cbc off
set ssh server cipher aes192-ctr off
set ssh server cipher aes256-cbc off
set ssh server cipher aes256-ctr off
set ssh server cipher aes256-gcm@openssh.com on
set ssh server cipher chacha20-poly1305@openssh.com off
set ssh server cipher rijndael-cbc@lysator.liu.se off
set ssh server mac hmac-md5-96-etm@openssh.com off
set ssh server mac hmac-md5-etm@openssh.com off
set ssh server mac hmac-sha1 off
set ssh server mac hmac-sha1-96-etm@openssh.com off
set ssh server mac hmac-sha1-etm@openssh.com off
set ssh server mac hmac-sha2-256 on
set ssh server mac hmac-sha2-256-etm@openssh.com on
set ssh server mac hmac-sha2-512 on
set ssh server mac hmac-sha2-512-etm@openssh.com on
set ssh server mac umac-64-etm@openssh.com off
set ssh server mac umac-64@openssh.com off
set ssh server mac umac-128-etm@openssh.com off
set ssh server mac umac-128@openssh.com off
set ssh server kex curve25519-sha256 on
set ssh server kex curve25519-sha256@libssh.org on
set ssh server kex diffie-hellman-group1-sha1 off
set ssh server kex diffie-hellman-group14-sha1 off
set ssh server kex diffie-hellman-group14-sha256 on
set ssh server kex diffie-hellman-group16-sha512 on
set ssh server kex diffie-hellman-group18-sha512 on
set ssh server kex diffie-hellman-group-exchange-sha1 off
set ssh server kex diffie-hellman-group-exchange-sha256 on
set ssh server kex ecdh-sha2-nistp256 on
set ssh server kex ecdh-sha2-nistp384 on
set ssh server kex ecdh-sha2-nistp521 on
set ssh server public-key ecdsa-sha2-nistp256 on
set ssh server public-key ecdsa-sha2-nistp256-cert-v01@openssh.com on
set ssh server public-key ecdsa-sha2-nistp384 on
set ssh server public-key ecdsa-sha2-nistp384-cert-v01@openssh.com on
set ssh server public-key ecdsa-sha2-nistp521 on
set ssh server public-key ecdsa-sha2-nistp521-cert-v01@openssh.com on
set ssh server public-key rsa-sha2-256 on
set ssh server public-key rsa-sha2-256-cert-v01@openssh.com on
set ssh server public-key rsa-sha2-512 on
set ssh server public-key rsa-sha2-512-cert-v01@openssh.com on
set ssh server public-key ssh-dss off
set ssh server public-key ssh-dss-cert-v01@openssh.com off
set ssh server public-key ssh-ed25519 on
set ssh server public-key ssh-ed25519-cert-v01@openssh.com on
set ssh server public-key ssh-rsa on
set ssh server public-key ssh-rsa-cert-v01@openssh.com on


The result reported is:
> show ssh server cipher enabled
--------------------------------
enabled cipher:
--------------------------------
aes128-gcm@openssh.com
aes256-gcm@openssh.com

> show ssh server kex enabled
--------------------------------
enabled kex:
--------------------------------
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521


> show ssh server mac enabled
--------------------------------
enabled mac:
--------------------------------
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com

> show ssh server public-key enabled
--------------------------------
enabled public-key:
--------------------------------
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512
rsa-sha2-512-cert-v01@openssh.com
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com


Not sure if there are any further recommendations to lock down SSH.

 

Dayaana
Contributor
‎2025-03-04 04:55 AM
Jump to solution

The problem was solved by explicitly specifying only the required algorithms in the configuration file.
That is, instead of
-diffie-...
it was necessary to write, for example,
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512

the_rock
MVP Platinum
MVP Platinum
‎2025-03-04 05:17 AM
In response to Dayaana
Jump to solution

Glad you got it working. I tested below what I sent you yesterday and worked in both R81.20 and R82, no issues.

Andy

For R81.20 and Higher

  1. Collect the Gaia OS Backup - in Gaia Portal or Gaia Clish.
  2. Connect to the command line on Gaia OS.
  3. Log in to Gaia Clish mode.
  4. Get the list of the enabled KEX ciphers: 
    show ssh server kex enabled
  5. Disable the unwanted KEX cipher: 
    set ssh server kex diffie-hellman-group14-sha1 off
  6. Save the changes in the Gaia OS database: 
    save config
  7. Log in to the Expert mode.
  8. Restart the SSH service: 
    service sshd restart
Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events