SSH ciphers change

I tried, but situation is like I described before.

This commands are used to change dynamicly generated SSH daemon (/var/run/config/sshd_config).

For example, here is configuration of SSHD on TMOS:

sys sshd {
banner enabled
banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
inactivity-timeout 900
include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
log-level verbose
}

As you can see, MAC is modified and this can also bee seen in auto generated configuration (just part of it) of ssh daemon below:

 THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!


 $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

 Use the tmsh shell utility to make changes to the system configuration.
 For more information, see tmsh -a help sys sshd.

 KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

 The strategy used for options in the default sshd_config shipped with
 OpenSSH is to specify options with their default value where
 possible.
 F5 Note
 If a directive appears multiple times, its first instance will be used
 and subsequent instances will be silently ignored. The following options
 have been configured via 'tmsh sys sshd include' and will therefore take
 precedence over any conflicting setting that appear afterward. Conversely,
 certain directives are placed before 'include' section to prevent being
 overridden.
 MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
 F5 - end of options specified via 'tmsh sys sshd include'.

Port 22
Protocol 2,1
 Protocol 2
 AddressFamily inet6

 F5 - these are FIPS approved ciphers.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc


 It's best to leave this setting as it is and use "tmsh modify sshd allow".
 An even better idea is to make sure that your self-IPs do not allow traffic
 on port 22.This is the default, so installations are secure by default.
ListenAddress 0.0.0.0
ListenAddress ::

 HostKey for protocol version 1
HostKey /config/ssh/ssh_host_key
 HostKeys for protocol version 2
HostKey /config/ssh/ssh_host_rsa_key
HostKey /config/ssh/ssh_host_dsa_key

 Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768

 Logging
 obsoletes QuietMode and FascistLogging
SyslogFacility AUTH

As you can see, MACs are modified and default ciphers are used.

If after that we change ciphers, configuration looks like:

sys sshd {
banner enabled
banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
inactivity-timeout 900
include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
log-level verbose
}

And auto generated ssh daemon looks like:

 THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!


 $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

 Use the tmsh shell utility to make changes to the system configuration.
 For more information, see tmsh -a help sys sshd.

 KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

 The strategy used for options in the default sshd_config shipped with
 OpenSSH is to specify options with their default value where
 possible.
 F5 Note
 If a directive appears multiple times, its first instance will be used
 and subsequent instances will be silently ignored. The following options
 have been configured via 'tmsh sys sshd include' and will therefore take
 precedence over any conflicting setting that appear afterward. Conversely,
 certain directives are placed before 'include' section to prevent being
 overridden.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr
 F5 - end of options specified via 'tmsh sys sshd include'.

Port 22
Protocol 2,1
 Protocol 2
 AddressFamily inet6

 F5 - these are FIPS approved ciphers.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc


 It's best to leave this setting as it is and use "tmsh modify sshd allow".
 An even better idea is to make sure that your self-IPs do not allow traffic
 on port 22.This is the default, so installations are secure by default.
ListenAddress 0.0.0.0
ListenAddress ::

 HostKey for protocol version 1
HostKey /config/ssh/ssh_host_key
 HostKeys for protocol version 2
HostKey /config/ssh/ssh_host_rsa_key
HostKey /config/ssh/ssh_host_dsa_key

 Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768

 Logging
 obsoletes QuietMode and FascistLogging
SyslogFacility AUTH

A you can see, there is no configuration line for MACs, just for ciphers.