Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎08-23-2022 10:02 PM Edited on ‎01-10-2024 11:45 PM By Community Manager

Article Id 221625

Technical Tip: How to disable SSH key sha1 and SSH weak MAC in global setting

Description

The article describes how to disable SSH key sha 1 and SSH weak MAC in global setting.
Scope FortiGate.
Solution

The default action in global setting ie 'enable' by default, it is possible to check using command 'get system global'.

 

get system global

.

.
ssh-kex-sha1 : enable
ssh-mac-weak : enable

 

It can be disabled using the commands below:

 

config system global
    set ssh-key-sha disable
    set ssh-mac-weak disable
end

 

The SSH daemon debug shown as below, all these versions and algorithms will be skipped and disallowed after disabling 'ssh-key-sha1' and 'ssh-mac-weak'.

 

diagnose debug application sshd -1

diagnose debug enable

.

.

SSH: Compat: skipping algorithm "diffie-hellman-group-exchange-sha1"
SSH: Compat: skipping algorithm "diffie-hellman-group14-sha1"

SSH: Compat: skipping algorithm "umac-64-etm@openssh.com"
SSH: Compat: skipping algorithm "hmac-sha1-etm@openssh.com"
SSH: Compat: skipping algorithm "hmac-sha1"

.

.
7885
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.