For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
May 25, 2018

Why only two supported ciphers in ssh_config

Hello everyone,

I recently tried to copy a file via scp from a BIG-IP and failed by "not matching ciphers". I had a look into it and stumbled upon the fact, that by default only aes128-cbc and aes256-cbc are the supported ciphers by the BIG-IP's SSH-client. 

[Snippet from  /config/ssh/ssh_config (Vers. 12.1 and 13):]
(...)
Ciphers aes128-cbc,aes256-cbc
(...)

I'm wondering, why is the BIG-IPs SSH-client configured like that? From my understanding, CBC ciphers are considered as weak and therefore are disabled by default, for example in standard Debian ssh server. The Big-IP's SSH-server supports a wide variety of ciphers.

I added those ciphers to my ssh-servers and now everything works, but I'm still some kind of confused by that decision.

Cheers Ichnafi

application delivery
BIG-IP

6 Replies

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 25, 2018

    Hi Ichnafi,

     

    By default, the sshd configuration does not include a specific set of ciphers or MAC algorithms for BIG-IP and BIG-IQ systems. However you can modify the encryption ciphers or the Message Authentication Code (MAC) algorithms used by the secure shell (SSH):

     

    Check this link, it discribe how you can include additionl ciphers https://support.f5.com/csp/article/K80425458

     

    hope it responds to your answer.

     

    Regards

     

    • Gabriel_Y's avatar
      Gabriel_Y
      Icon for Nimbostratus rankNimbostratus
      Apr 17, 2020

      I applied this process, however is not working for version "BIG-IP 14.1.2".

      edit / sys sshd all-properties

      Change the parameter: 

      include "Ciphers arcfour256, aes256-ctr"

      But instead of change the exist value, it duplicated the line staying as follows:

      Somebody help me how to resolve this, please.

  • Sunny_291145's avatar
    Sunny_291145
    Icon for Nimbostratus rankNimbostratus
    May 25, 2018

    This is a Known Issue: bug id is 663508

     

    SSH Connection issue from BIG-IP to backend servers

     

    Solution

     

    Modify SSH Client configuration

     

    Open up the /config/ssh/ssh_config file and make the following change

     

    Before: Ciphers aes128-cbc,aes256-cbc

     

    After: Ciphers aes128-cbc,aes256-cbc,aes256-ctr,aes128-ctr,aes192-ctr

     

    • Ichnafi's avatar
      Ichnafi
      Icon for Cirrostratus rankCirrostratus
      May 28, 2018

      Are you sure that bug ID is correct? Bug Tracker can not find any results.

       

    • Sunny_291145's avatar
      Sunny_291145
      Icon for Nimbostratus rankNimbostratus
      May 29, 2018

      When I had an issue in Nov-2017 I opend up a case with F5 and they provided me this bug-ID.