This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
checkpointer
Participant
‎2021-10-06 05:56 AM

Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

Hi guys,

Can you help me with this please?

Trying to follow  sk165685 but command does not work on r80.20.

Regards,

Checkpointer

0 Kudos
8 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-10-06 06:12 AM

I assume this does work in R80.40 / R81 only, as it reads: In R80.40, openSSL and openSSH were upgraded.

Then the command ssh -Q options are listed...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
checkpointer
Participant
‎2021-10-06 06:26 AM
In response to G_W_Albrecht

Thanks GW, is there any other way you might know of to get the information around supported MAC/HMACs in R80.20?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-10-06 06:36 AM
In response to checkpointer

For SSH, the -Q option was added in OpenBSD 5.5 only. Try cat /etc/ssh/ssh_config to read config file 8)

See sk106031: How to change SSH encryption protocols and Message Authentication Code settings also.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-06 07:41 AM
In response to checkpointer

Unfortunately, the underlying components require a newer version of the Linux kernel not present in R80.20.
Upgrade to at least R80.40, which is in wide use by our customers. 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-10-06 09:57 AM

Up until R80.30 GAiA 3.10, Check Point includes OpenSSH 4.3p2, which corresponds to OpenBSD 3.9. Here is the version of the manpage you should use:

https://man.openbsd.org/OpenBSD-3.9/sshd_config

At that time, the only HMACs supported were hmac-md5 and hmac-sha1 (Turns out I was wrong about this. See below.). Of note, MD5 provides plenty of security for an HMAC.

With the move to a newer RHEL base, R80.30 management, R80.40 firewall, and up include OpenSSH 7.8p1, from mid-2018.

0 Kudos
checkpointer
Participant
‎2021-10-07 12:35 AM
In response to Bob_Zimmerman

Hi Bob, thanks for this. What is the source of this information? Can I validate it with any SK's?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-10-07 06:25 AM
In response to checkpointer

Version is obtained using 'sshd -v'. You can then check the OpenBSD 3.9 release notes, which say it includes OpenSSH 4.3. The manpage above is the OpenBSD 3.9 version of the manpage, though I somehow got the link text wrong. That link goes to sshd_config, which is the correct page. Look for the "MACs" option.

I also misinterpreted something I read elsewhere. OpenSSH 4.3 supports four HMACs: hmac-md5, hmac-sha1, hmac-ripemd160, hmac-sha1-96, hmac-md5-96.

0 Kudos
checkpointer
Participant
‎2021-10-07 06:44 AM
In response to Bob_Zimmerman

Fantastic, thanks Bob. 

I was able to get version with 'rpm -qa | grep ssh', 'sshd -v' didn't work in my (lab) r80.10.

Once again thank you so much for this, I am much obliged to you for answering my question!

Regards,

Checkpointer

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events