This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cvega-nrel
Explorer
‎2020-07-28 08:38 AM

SSH key exchange algorithms

We're needing to tighten up our SSH settings if possible.

These two lines have been set in /etc/ssh/sshd_config and are producing the expected results.

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha1

However, trying to set the key exchange algorithms with this does not work:

KexAlgorithms diffie-hellman-group14-sha1

I've tried various combos; the actual goal is to disable this one, as it shows up as available: diffie-hellman-group-exchange-sha1

| ssh2-enum-algos:
| kex_algorithms: (2)
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1

Regardless, the result of trying to set KexAlgorithms in any way is:

Starting sshd: /etc/ssh/sshd_config: line 89: Bad configuration option: KexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]

 

I thought CP uses standard OpenSSH, so in theory that option should work correct?

We're on R80.10 if that matters. Anyone have any ideas? Thanks!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-07-28 11:18 AM

R80.10 is using an older version of OpenSSH which may not support those options.
This is required due to the older Linux kernel version in R80.10.
When we updated the Linux kernel in R80.40, we also updated OpenSSH and many other userspace tools.

It is not likely we will update OpenSSH in versions prior to R80.40.

0 Kudos
LostBoY
Advisor
‎2021-03-02 05:01 AM

Did you find a solution to this ? 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-03-02 07:36 AM
In response to LostBoY

SecurePlatform and GAiA versions with the 2.6 kernel (I think all firewalls from R65 through R80.40 and all managements from R65 through R80.30) have OpenSSH 4.3p2. That version is too old to support configurable key exchange protocols. You have to upgrade to a newer OS version (R80.40 or R81) to get the newer kernel (3.10) and newer OpenSSH (now 7.8p1). Once you have upgraded, KexAlgorithms should be a valid option in the sshd_config.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events