Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
May 25, 2018

Why only two supported ciphers in ssh_config

Hello everyone,

I recently tried to copy a file via scp from a BIG-IP and failed by "not matching ciphers". I had a look into it and stumbled upon the fact, that by default only aes128-cbc and aes256-cbc are the supported ciphers by the BIG-IP's SSH-client. 

[Snippet from  /config/ssh/ssh_config (Vers. 12.1 and 13):]
(...)
Ciphers aes128-cbc,aes256-cbc
(...)

I'm wondering, why is the BIG-IPs SSH-client configured like that? From my understanding, CBC ciphers are considered as weak and therefore are disabled by default, for example in standard Debian ssh server. The Big-IP's SSH-server supports a wide variety of ciphers.

I added those ciphers to my ssh-servers and now everything works, but I'm still some kind of confused by that decision.

Cheers Ichnafi

application delivery
BIG-IP
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 25, 2018

    Hi Ichnafi,

     

    By default, the sshd configuration does not include a specific set of ciphers or MAC algorithms for BIG-IP and BIG-IQ systems. However you can modify the encryption ciphers or the Message Authentication Code (MAC) algorithms used by the secure shell (SSH):

     

    Check this link, it discribe how you can include additionl ciphers https://support.f5.com/csp/article/K80425458

     

    hope it responds to your answer.

     

    Regards

     

    • Gabriel_Y's avatar
      Gabriel_Y
      Icon for Nimbostratus rankNimbostratus
      Apr 17, 2020

      I applied this process, however is not working for version "BIG-IP 14.1.2".

      edit / sys sshd all-properties

      Change the parameter: 

      include "Ciphers arcfour256, aes256-ctr"

      But instead of change the exist value, it duplicated the line staying as follows:

      Somebody help me how to resolve this, please.

  • Sunny_291145's avatar
    Sunny_291145
    Icon for Nimbostratus rankNimbostratus
    May 25, 2018

    This is a Known Issue: bug id is 663508

     

    SSH Connection issue from BIG-IP to backend servers

     

    Solution

     

    Modify SSH Client configuration

     

    Open up the /config/ssh/ssh_config file and make the following change

     

    Before: Ciphers aes128-cbc,aes256-cbc

     

    After: Ciphers aes128-cbc,aes256-cbc,aes256-ctr,aes128-ctr,aes192-ctr

     

    • Ichnafi's avatar
      Ichnafi
      Icon for Cirrostratus rankCirrostratus
      May 28, 2018

      Are you sure that bug ID is correct? Bug Tracker can not find any results.

       

    • Sunny_291145's avatar
      Sunny_291145
      Icon for Nimbostratus rankNimbostratus
      May 29, 2018

      When I had an issue in Nov-2017 I opend up a case with F5 and they provided me this bug-ID.