Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎08-23-2022 10:02 PM Edited on ‎09-29-2025 12:02 AM By Moderator

Article Id 221625

Technical Tip: How to disable SSH key sha1 and SSH weak MAC in global setting

Description

The article describes how to disable the SSH key SHA-1 and SSH weak MAC in the global settings.
Scope FortiGate.
Solution

The default action in the global setting is 'enable' by default, it is possible to check it using the command 'get system global'.

 

get system global

.

.
ssh-kex-sha1 : enable
ssh-mac-weak : enable

 

It can be disabled using the commands below:

 

config system global
    set ssh-kex-sha1 disable
    set ssh-mac-weak disable
end

 

The SSH daemon debug is shown below; all these versions and algorithms will be skipped and disallowed after disabling 'ssh-kex-sha1' and 'ssh-mac-weak'.

 

diagnose debug application sshd -1

diagnose debug enable

.

.

SSH: Compat: skipping algorithm "diffie-hellman-group-exchange-sha1"
SSH: Compat: skipping algorithm "diffie-hellman-group14-sha1"

SSH: Compat: skipping algorithm "umac-64-etm@openssh.com"
SSH: Compat: skipping algorithm "hmac-sha1-etm@openssh.com"
SSH: Compat: skipping algorithm "hmac-sha1"

.

.
7979
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.