yurnov
Nimbostratus
NimbostratusModifying the list of ciphers and MAC algorithms used by the SSH service on the BIG-IP
I wont to configure ciphers and MAC algorithms in my Ansible role, to do that I have used following:
- name: Restore F5 to default settings
shell: |
echo yes | tmsh load /sys config default &&
tmsh modify /sys sshd include 'MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256';
tmsh <additional config>
tmsh save /sys config partitions all;
tmsh restart /sys service sshd;
It works fine for MACs, or ciphers, if I use command
tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr';
But i didn't manage to configure both, MACs and ciphers. I have tried to use next sequence of command:
tmsh modify /sys sshd include none
tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr'
tmsh modify /sys sshd include 'MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256'
as well as line
tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256'
it fails in both.
In the same time, I'd manage to configure both with
tmsh edit /sys sshd all-properties
and then use vi to have following config:
sys sshd {
allow { ALL }
banner disabled
banner-text none
description none
inactivity-timeout 0
include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256"
log-level info
login enabled
port 22
}
This clearly described in KB80425458, but it not clear how it can be automated to configure from script/role.
Can anyone suggest how to configure both, ciphers and MAC algorithms by tmsh modify command?
