This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Boavida
Contributor
Contributor
‎2023-02-07 08:38 AM

Cannot disable weak SSH ciphers in Gaia Embedded

Hi community,

I'd like to disable some (considered weaker) ciphers on SMB appliances, namely on SSH service, like 3DES, SHA1, etc.

After researching through knowledge base and checkmates community, I could only find a solution that only applies to standard Gaia OS - and not Embedded Gaia.

So I decided to open a case in TAC, who analyzed it and answered that I should submit an RFE for this. I'm kind of surprised that a security concern/issue is getting from Check Point the same kind of attention as any other feature....

However does anyone was able to perform successfully any "unofficial" tweak to accomplish this?

I'll perform a RFE anyway...

Best regards,

Pedro

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-02-07 08:53 AM

The Gaia OS solution for this (cipher_util) is available on R81.10.05 in Expert Mode.
Refer to the docs here: https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/cipher_util.htm

For SSH, R81.10.05 appears to be using OpenSSH and reads its configuration file from /pfrm2.0/etc/sshd_config
Presumably,  this is where you would make changes to the allowable SSH ciphers.
In past releases (certainly in R77.20.xx), Dropbear is used, which doesn't provide a mechanism for changing the ciphers.

0 Kudos
Pedro_Boavida
Contributor
Contributor
‎2023-02-07 09:34 AM
In response to PhoneBoy

Thanks Dameon,

Actually I'm talking about past releases, however version R77.20.xx is still supported until 2025.

This should not be a constraint.

Regards

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-07 12:21 PM
In response to Pedro_Boavida

The platforms in question are End of Sale as of 2020.
In this case "support" means with existing functionality, not new functionality.
Refer to our Appliance Support Timeline for details.

Dropbear (used in R77.20.xx for ssh/sshd) doesn't provide a mechanism to change the ciphers used.
That means to provide this functionality, either Dropbear needs modification or it needs to be replaced with something else (like OpenSSH).
Further, the appliances that run R77.20.xx cannot run R8x code due to hardware limitations.
This means additional development would be required to support this in R77.20.xx.
As the affected appliances are End of Sale, this is not currently planned and would require an RFE with your local Check Point office.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events