Forum Discussion
SSH ciphers change
I tried, but situation is like I described before.
This commands are used to change dynamicly generated SSH daemon (/var/run/config/sshd_config).
For example, here is configuration of SSHD on TMOS:
sys sshd {
banner enabled
banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
inactivity-timeout 900
include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
log-level verbose
}
As you can see, MAC is modified and this can also bee seen in auto generated configuration (just part of it) of ssh daemon below:
THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!
$OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
Use the tmsh shell utility to make changes to the system configuration.
For more information, see tmsh -a help sys sshd.
KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible.
F5 Note
If a directive appears multiple times, its first instance will be used
and subsequent instances will be silently ignored. The following options
have been configured via 'tmsh sys sshd include' and will therefore take
precedence over any conflicting setting that appear afterward. Conversely,
certain directives are placed before 'include' section to prevent being
overridden.
MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
F5 - end of options specified via 'tmsh sys sshd include'.
Port 22
Protocol 2,1
Protocol 2
AddressFamily inet6
F5 - these are FIPS approved ciphers.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
It's best to leave this setting as it is and use "tmsh modify sshd allow".
An even better idea is to make sure that your self-IPs do not allow traffic
on port 22.This is the default, so installations are secure by default.
ListenAddress 0.0.0.0
ListenAddress ::
HostKey for protocol version 1
HostKey /config/ssh/ssh_host_key
HostKeys for protocol version 2
HostKey /config/ssh/ssh_host_rsa_key
HostKey /config/ssh/ssh_host_dsa_key
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768
Logging
obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
As you can see, MACs are modified and default ciphers are used.
If after that we change ciphers, configuration looks like:
sys sshd {
banner enabled
banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
inactivity-timeout 900
include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
log-level verbose
}
And auto generated ssh daemon looks like:
THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!
$OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
Use the tmsh shell utility to make changes to the system configuration.
For more information, see tmsh -a help sys sshd.
KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible.
F5 Note
If a directive appears multiple times, its first instance will be used
and subsequent instances will be silently ignored. The following options
have been configured via 'tmsh sys sshd include' and will therefore take
precedence over any conflicting setting that appear afterward. Conversely,
certain directives are placed before 'include' section to prevent being
overridden.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
F5 - end of options specified via 'tmsh sys sshd include'.
Port 22
Protocol 2,1
Protocol 2
AddressFamily inet6
F5 - these are FIPS approved ciphers.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
It's best to leave this setting as it is and use "tmsh modify sshd allow".
An even better idea is to make sure that your self-IPs do not allow traffic
on port 22.This is the default, so installations are secure by default.
ListenAddress 0.0.0.0
ListenAddress ::
HostKey for protocol version 1
HostKey /config/ssh/ssh_host_key
HostKeys for protocol version 2
HostKey /config/ssh/ssh_host_rsa_key
HostKey /config/ssh/ssh_host_dsa_key
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768
Logging
obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
A you can see, there is no configuration line for MACs, just for ciphers.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com