Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

SSH weak algorithm supported

a Vulnerability "SSH weak Algorithms supported" has been reported in R80.10 Gateways.. What is the procedure to resolve this vulnerability ?

are some modifications required in sshd conf file for this ?

Thanks

0 Kudos
7 Replies
Chris_Atkinson
Employee
Employee

Start with reviewing sk106031 depending on the specific finding.

PhoneBoy
Admin
Admin

You can adjust some of the algorithms offered by modifying the sshd configuration.
However, the version of OpenSSH we use prior to R80.40 is old and does not offer some of the currently recommended algorithms.
Given that R80.10 is End of Support in a few months, it’s highly recommended you upgrade.

LostBoY
Advisor

Yes ..we have an upgrade planned in March for this.

Can you please point out the config i need to modify in sshd file

0 Kudos
the_rock
Authority
Authority

Hi,

 

Its right in the sk itself:

 

  1. Add the following 2 lines to the /etc/ssh/ssh_config and /etc/ssh/sshd_config files:

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr

    MACs hmac-sha1

    Important: There should be no spaces between ciphers/MACs and commas. 

  2. Remove previous "Ciphers/MACs" lines if they currently exist in the above files.

  3. Restart the SSH server using the service sshd restart command.
LostBoY
Advisor

Thanks for the reply..

 

i was looking in the sshd and ssh config files but i dont see any enabled CIPHERS there.

in the ssh config there is a line ciphers aes-.. blowfish.. and so on but it is hashed out .. this line is not present in sshd config file.

So i am a bit confused here.. why the vulnerability is being detected if it is hashed out ? or does no entry in the file related to default ciphers ?

0 Kudos
the_rock
Authority
Authority

Send me the file privately and I can compare it to one from fresh gateway.

Andy

Bob_Zimmerman
Advisor

The OpenBSD developers (and OpenSSH is an OpenBSD project) include default values for most configurable items. These default values don't need anything in the config file to work, but they include them in the config file anyway as a valid config line which would result in the same behavior as the default, commented out.

You can either remove the "# " at the start of the line and edit it to your requirements (the defaults for a given OpenSSH version are easy enough to find online), or you can add a new line in the file meeting your requirements.