Disable SSH Weak Ciphers

Forum|Forum|8 years ago
September 25, 2017
1 reply
54008 views

We are using FortiGate and we noticed that the SSH server is configured to use the weak encryption algorithms (arcfour, arcfour128 & arcfour256, cbc) and mac algorithms (hmac-sha1 and hmac-md5).

My question is:

How to disable CBC mode ciphers and use CTR mode ciphers?

How to disable 96-bit HMAC Algorithms?

How to disable MD5-based HMAC Algorithms?

Thanks.

emnoc

New Member

Try the config sys global cli command

e.g

config sys global

set ssh-cbc-cipher disable set ssh-hmac-md5 disable end

Now run ssh client with -v option

( before the change )

debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none

( now after )

debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none

You can scroll thru all cipher that the client support and see what is or is not accepted. Check out my post from a few years back on ssh tips

http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html

e.g ( build a file with all ciphers to check chain-blocks are disable )

CEHacker:~ kfelix$ for p in ` cat ciphers ` ; do ssh -c $p 11.11.1.6 ; done no matching cipher found: client 3des-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes128-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes192-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes256-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr kfelix@11.11.1.6 password:

I hope that helps

Ken

rabubakarAuthor

New Member

Hi,

Thanks for your feedback. However, the commands are not available in the CLI.

Firmware: v5.6.0 build1449 (GA)

tanr

New Member

Does 5.6 still have:

config sys global

set strong-crypto enable

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded