Forum Discussion
19 Replies
- refra_151287Cirrus
Hi,
the below is how to change the SSH cipher suites,
To modify MAC
tmsh modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com" tmsh save sys config partitions all tmsh restart sys service sshd
To modify ciphers
tmsh modify sys sshd include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" tmsh save sys config partitions all tmsh restart sys service sshd
- Hannes_Rapp_162Nacreous
In regards to HTTPS (GUI access), you'll have to modify the httpd (HTTP daemon) SSL ciphers. I also found one SOL article explaining it step by step: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13405.html
I'm not sure where to change the ciphers for SSH. I'll leave that for someone else.
- refra_151287Cirrusthanks Hannes, the provided link really helped
- refra_151287Cirrusthanks Hannes, the provided link really helped
- Hannes_RappNimbostratus
In regards to HTTPS (GUI access), you'll have to modify the httpd (HTTP daemon) SSL ciphers. I also found one SOL article explaining it step by step: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13405.html
I'm not sure where to change the ciphers for SSH. I'll leave that for someone else.
- refra_151287Cirrusthanks Hannes, the provided link really helped
- refra_151287Cirrusthanks Hannes, the provided link really helped
- Mate_132781Cirrostratus
Hi,
I have BIG-IP 11.6 and looks like that theese two commands (for MACs and ciphers) are mutually exclusive, for example, if I enter:
modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com" save sys config partitions all restart sys service sshd
Configuration of SSH deamon looks like:
sys sshd { banner enabled banner-text "Any unauthorized access is strictly prohibited and will be prosecuted to the full extent of applicable local and international law. All access is monitored." inactivity-timeout 900 include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com" log-level verbose }
If after that I enter:
modify sys sshd include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" save sys config partitions all restart sys service sshd
Configuration looks like:
sys sshd { banner enabled banner-text "Any unauthorized access is strictly prohibited and will be prosecuted to the full extent of applicable local and international law. All access is monitored." inactivity-timeout 900 include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" log-level verbose }
How can I change ciphers and MACs together, because I need to disable CBC encryption anf MD5 and 96-bit MAC algorithms?
- refra_151287CirrusHi Mate, It's really what happened with me, but after doing the performing PenTest again, I found the changes happened, you can check that and feedback us.
- Mate_132781Cirrostratus
I tried, but situation is like I described before.
This commands are used to change dynamicly generated SSH daemon (/var/run/config/sshd_config).
For example, here is configuration of SSHD on TMOS:
sys sshd { banner enabled banner-text "Any unauthorized access is strictly prohibited and will be prosecuted to the full extent of applicable local and international law. All access is monitored." inactivity-timeout 900 include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com" log-level verbose }
As you can see, MAC is modified and this can also bee seen in auto generated configuration (just part of it) of ssh daemon below:
THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!! $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ Use the tmsh shell utility to make changes to the system configuration. For more information, see tmsh -a help sys sshd. KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible. F5 Note If a directive appears multiple times, its first instance will be used and subsequent instances will be silently ignored. The following options have been configured via 'tmsh sys sshd include' and will therefore take precedence over any conflicting setting that appear afterward. Conversely, certain directives are placed before 'include' section to prevent being overridden. MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com F5 - end of options specified via 'tmsh sys sshd include'. Port 22 Protocol 2,1 Protocol 2 AddressFamily inet6 F5 - these are FIPS approved ciphers. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc It's best to leave this setting as it is and use "tmsh modify sshd allow". An even better idea is to make sure that your self-IPs do not allow traffic on port 22.This is the default, so installations are secure by default. ListenAddress 0.0.0.0 ListenAddress :: HostKey for protocol version 1 HostKey /config/ssh/ssh_host_key HostKeys for protocol version 2 HostKey /config/ssh/ssh_host_rsa_key HostKey /config/ssh/ssh_host_dsa_key Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 1h ServerKeyBits 768 Logging obsoletes QuietMode and FascistLogging SyslogFacility AUTH
As you can see, MACs are modified and default ciphers are used.
If after that we change ciphers, configuration looks like:
sys sshd { banner enabled banner-text "Any unauthorized access is strictly prohibited and will be prosecuted to the full extent of applicable local and international law. All access is monitored." inactivity-timeout 900 include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" log-level verbose }
And auto generated ssh daemon looks like:
THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!! $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ Use the tmsh shell utility to make changes to the system configuration. For more information, see tmsh -a help sys sshd. KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible. F5 Note If a directive appears multiple times, its first instance will be used and subsequent instances will be silently ignored. The following options have been configured via 'tmsh sys sshd include' and will therefore take precedence over any conflicting setting that appear afterward. Conversely, certain directives are placed before 'include' section to prevent being overridden. Ciphers aes128-ctr,aes192-ctr,aes256-ctr F5 - end of options specified via 'tmsh sys sshd include'. Port 22 Protocol 2,1 Protocol 2 AddressFamily inet6 F5 - these are FIPS approved ciphers. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc It's best to leave this setting as it is and use "tmsh modify sshd allow". An even better idea is to make sure that your self-IPs do not allow traffic on port 22.This is the default, so installations are secure by default. ListenAddress 0.0.0.0 ListenAddress :: HostKey for protocol version 1 HostKey /config/ssh/ssh_host_key HostKeys for protocol version 2 HostKey /config/ssh/ssh_host_rsa_key HostKey /config/ssh/ssh_host_dsa_key Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 1h ServerKeyBits 768 Logging obsoletes QuietMode and FascistLogging SyslogFacility AUTH
A you can see, there is no configuration line for MACs, just for ciphers.
- support case will get you the best / quickest answer at this stage in my opinion. please do report back what they say.
- aries22Altocumulus
hi guys!
how can I see the auto generated configuration of ssh daemon?
- Mate_132781Cirrostratus
I opened support case and aolution is prety simple:
tmsh modify sys sshd include " MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
It looks like it's working. 🙂
TMOS configuration of SSH after applying command:
sys sshd { banner enabled banner-text "Any unauthorized access is strictly prohibited and will be prosecuted to the full extent of applicable local and international law. All access is monitored." inactivity-timeout 900 include " MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com Ciphers aes128-ctr,aes192-ctr,aes256-ctr" log-level verbose
}
- swo0sh_gt_13163Altostratus
Thnaks Mate, This is quite helpful!
- Mate_132781Cirrostratus
I opened support case and engineer gave me a solution. It's pretty simple:
tmsh modify sys sshd include " MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
It look's like it's working. 🙂
TMOS comnfiguration of SSH now look's like:
sys sshd { banner enabled banner-text "Any unauthorized access is strictly prohibited and will be prosecuted to the full extent of applicable local and international law. All access is monitored." inactivity-timeout 900 include " MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com Ciphers aes128-ctr,aes192-ctr,aes256-ctr" log-level verbose }
- great, thank you for replying back with the answer.
- syedimam_147051Nimbostratus
Hi mate I am heaving same problem as you before. When I apply following command I got error. Can you please advise if I am applying it correctly.
tmsh modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
Thanks Syed
- Mate_132781Cirrostratus
Did you c/p exactly as I wrote?
Ciphers have to be in separate line from MACs.
BR, Mate
- Brian_StewartNimbostratus
Confirming changes have been applied to F5 mgmt/config interfaces:
Red Hat article https://access.redhat.com/solutions/420283 is related to this topic and provides some simple remote confirmation tests we all know and love via ssh client parameters.
-
verify remotely from SSH client ssh -vv -oMACs=hmac-md5 10.x.y.z . . .output snipped . . . no matching mac found: client hmac-md5 server hmac-sha1,hmac-ripemd160
-
verify remotely from SSH client ssh -vv -oCiphers=aes128-cbc 10.x.y.z . . .output snipped . . . no matching cipher found: client aes128-cbc server aes128-ctr,aes192-ctr,aes256-ctr
-