Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkpointer
Participant

Which MAC/HMACs are supported in R80.20, ssh -Q mac doesn't work

Hi guys,

Can you help me with this please?

Trying to follow  sk165685 but command does not work on r80.20.

Regards,

Checkpointer

0 Kudos
8 Replies
G_W_Albrecht
Legend
Legend

I assume this does work in R80.40 / R81 only, as it reads: In R80.40, openSSL and openSSH were upgraded.

Then the command ssh -Q options are listed...

CCSE CCTE SMB Specialist
0 Kudos
checkpointer
Participant

Thanks GW, is there any other way you might know of to get the information around supported MAC/HMACs in R80.20?

0 Kudos
G_W_Albrecht
Legend
Legend

For SSH, the -Q option was added in OpenBSD 5.5 only. Try cat /etc/ssh/ssh_config to read config file 😎

See sk106031: How to change SSH encryption protocols and Message Authentication Code settings also.

CCSE CCTE SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, the underlying components require a newer version of the Linux kernel not present in R80.20.
Upgrade to at least R80.40, which is in wide use by our customers. 

0 Kudos
Bob_Zimmerman
Advisor

Up until R80.30 GAiA 3.10, Check Point includes OpenSSH 4.3p2, which corresponds to OpenBSD 3.9. Here is the version of the manpage you should use:

https://man.openbsd.org/OpenBSD-3.9/sshd_config

At that time, the only HMACs supported were hmac-md5 and hmac-sha1 (Turns out I was wrong about this. See below.). Of note, MD5 provides plenty of security for an HMAC.

With the move to a newer RHEL base, R80.30 management, R80.40 firewall, and up include OpenSSH 7.8p1, from mid-2018.

0 Kudos
checkpointer
Participant

Hi Bob, thanks for this. What is the source of this information? Can I validate it with any SK's?

0 Kudos
Bob_Zimmerman
Advisor

Version is obtained using 'sshd -v'. You can then check the OpenBSD 3.9 release notes, which say it includes OpenSSH 4.3. The manpage above is the OpenBSD 3.9 version of the manpage, though I somehow got the link text wrong. That link goes to sshd_config, which is the correct page. Look for the "MACs" option.

I also misinterpreted something I read elsewhere. OpenSSH 4.3 supports four HMACs: hmac-md5, hmac-sha1, hmac-ripemd160, hmac-sha1-96, hmac-md5-96.

0 Kudos
checkpointer
Participant

Fantastic, thanks Bob. 

I was able to get version with 'rpm -qa | grep ssh', 'sshd -v' didn't work in my (lab) r80.10.

Once again thank you so much for this, I am much obliged to you for answering my question!

Regards,

Checkpointer

0 Kudos