Technical Tip: How to disable SSH key sha1 and SSH weak MAC in global setting

The article describes how to disable the SSH key SHA-1 and SSH weak MAC in the global settings.

The default action in the global setting is 'enable' by default, it is possible to check it using the command 'get system global'.

get system global

.

.
ssh-kex-sha1 : enable
ssh-mac-weak : enable

It can be disabled using the commands below:

config system global
    set ssh-kex-sha1 disable
    set ssh-mac-weak disable
end

The SSH daemon debug is shown below; all these versions and algorithms will be skipped and disallowed after disabling 'ssh-kex-sha1' and 'ssh-mac-weak'.

diagnose debug application sshd -1

diagnose debug enable

.

.

SSH: Compat: skipping algorithm "diffie-hellman-group-exchange-sha1"
SSH: Compat: skipping algorithm "diffie-hellman-group14-sha1"

SSH: Compat: skipping algorithm "umac-64-etm@openssh.com"
SSH: Compat: skipping algorithm "hmac-sha1-etm@openssh.com"
SSH: Compat: skipping algorithm "hmac-sha1"

.

.