BIG-IP 11.6 - Disable MD5 and 96-bit MAC algorithms and CBC mode for SSH

Question

Hi,&nbsp;
our customer has BIG-IP 2000s with 11.6 HF4 TMOS, they had security audit which ends with 2 vulnerabilities and action points:&nbsp;
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.&nbsp;
disable MD5 and 96bit MAC algorithms
The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext.&nbsp;
disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption
Can you pls help me how to disable MD5 and 96-bit algorithms and CBC mode cipher encryption (and enable CTR or GCM cipher mode encryption) for SSH?&nbsp;

boneyard · Answer

been asked before, see here:&nbsp;
https://devcentral.f5.com/questions/ssh-ciphers-change&nbsp;

Forum Discussion

BIG-IP 11.6 - Disable MD5 and 96-bit MAC algorithms and CBC mode for SSH

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Quick Optimizations for F5 BIG-IP Virtual Edition

Getting Started with BIG-IP Next: Upgrading Central Manager

Deploying F5 BIG-IP with Azure Cross-region load balancer

Service discovery and registration with BIG-IP