Start a new topic

Disable Weak SSH Algorithms

mito @ Sun Jul 13 22:00:12 EEST 2014
Hi
How can we disabled the weaker CBC-MAC algorithms in our Crush sftp / SSH instance?

see below, we would like to remove all the 96bit hmac algos etc, is this possible?


| ssh2-enum-algos:

| kex_algorithms: (3)

| diffie-hellman-group1-sha1

| diffie-hellman-group-exchange-sha1

| diffie-hellman-group-exchange-sha256

| server_host_key_algorithms: (2)

| ssh-dss

| ssh-rsa

| encryption_algorithms: (6)

| aes128-cbc

| aes128-ctr

| 3des-cbc

| blowfish-cbc

| arcfour128

| arcfour

| mac_algorithms: (6)

| hmac-md5

| hmac-sha1

| hmac-md5-96

| hmac-sha1-96

| hmac-sha256

| hmac-sha256@ssh.com

| compression_algorithms: (2)

| none

|_ zlib


spinkb @ Mon Jul 14 01:28:48 EEST 2014
This is not controllable. Why is it you want to change it? This isn't a cipher being used for actual file transfer or login, etc.

Is there a real issue for controlling the MAC algorithms?

Thanks,
Ben
spinkb @ Mon Jul 14 09:57:42 EEST 2014
Waiting for your direct email to support. We have a solution for you.

Just click update now and you will have a new field to control the MAC algorithm just like the cipher algorithm list.

Thanks,
Ben

I also need to disable weak SSH algorithm and enable TLS1.2 supported protocols for SSH.


Please advise.


Thanks

admin, prefs, sftp port, ssh tab, ciphers allows you to control that.


admin, prefs, encryption, ssl allows you to restrict the TLS versions.  Do not remove "SSLv2Hello" as its not a real protocol, but generally required.


You need Java 8 too for TLS 1.2 to work.

Hi Ben

just dragging this one up again, can you post a list of all the available ciphers and MAC algorithms that are supported in Crush? (7.3 is the version we are on)

I would like to restrict some of the weaker ones, but there are not many left using the out of the box config we have when i take away CBC and 96bit etc, so I assume some stronger are ciphers are now available out of the box?

Cheers 

There is no point in doing any restriction in your version.  You're vulnerable to other more important SFTP issues.  Security isn't a pick and choose...either you stay current and are safe from all known issues, or you stay behind and are vulnerable to potentially many issues.  Changing a cipher makes things a little more secure...but you have other gaping holes that can only be fixed by updating and staying current.


Thanks,
Ben

Thanks for the update Ben

we are not publishing the WebUI at all so not concerned with the holes that may be in that, but if a version upgrade is required before we can get any further info on acceptable SSH ciphers to use I will upgrade to the latest version and come back to this 

Cheers 

The holes aren't in the WebUI.  The holes are in the SSH protocol.  So upgrading is required.

Login to post a comment