Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pedro_Boavida
Contributor
Contributor

Cannot disable weak SSH ciphers in Gaia Embedded

Hi community,

I'd like to disable some (considered weaker) ciphers on SMB appliances, namely on SSH service, like 3DES, SHA1, etc.

After researching through knowledge base and checkmates community, I could only find a solution that only applies to standard Gaia OS - and not Embedded Gaia.

So I decided to open a case in TAC, who analyzed it and answered that I should submit an RFE for this. I'm kind of surprised that a security concern/issue is getting from Check Point the same kind of attention as any other feature....

However does anyone was able to perform successfully any "unofficial" tweak to accomplish this?

I'll perform a RFE anyway...

Best regards,

Pedro

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The Gaia OS solution for this (cipher_util) is available on R81.10.05 in Expert Mode.
Refer to the docs here: https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/cipher_util.htm

For SSH, R81.10.05 appears to be using OpenSSH and reads its configuration file from /pfrm2.0/etc/sshd_config
Presumably,  this is where you would make changes to the allowable SSH ciphers.
In past releases (certainly in R77.20.xx), Dropbear is used, which doesn't provide a mechanism for changing the ciphers.

0 Kudos
Pedro_Boavida
Contributor
Contributor

Thanks Dameon,

Actually I'm talking about past releases, however version R77.20.xx is still supported until 2025.

This should not be a constraint.

Regards

 

 

0 Kudos
PhoneBoy
Admin
Admin

The platforms in question are End of Sale as of 2020.
In this case "support" means with existing functionality, not new functionality.
Refer to our Appliance Support Timeline for details.

Dropbear (used in R77.20.xx for ssh/sshd) doesn't provide a mechanism to change the ciphers used.
That means to provide this functionality, either Dropbear needs modification or it needs to be replaced with something else (like OpenSSH).
Further, the appliances that run R77.20.xx cannot run R8x code due to hardware limitations.
This means additional development would be required to support this in R77.20.xx.
As the affected appliances are End of Sale, this is not currently planned and would require an RFE with your local Check Point office.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events