Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Modifying the list of ciphers and MAC algorithms used by the SSH service on the BIG-IP

yurnov
Nimbostratus
Nimbostratus

I wont to configure ciphers and MAC algorithms in my Ansible role, to do that I have used following:

  - name: Restore F5 to default settings
   shell: |
    echo yes | tmsh load /sys config default &&
    tmsh modify /sys sshd include 'MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256';
    tmsh <additional config>
    tmsh save /sys config partitions all;
    tmsh restart /sys service sshd;

It works fine for MACs, or ciphers, if I use command

tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr';

But i didn't manage to configure both, MACs and ciphers. I have tried to use next sequence of command:

tmsh modify /sys sshd include none
tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr'
tmsh modify /sys sshd include 'MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256'

as well as line

tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256'

it fails in both.

In the same time, I'd manage to configure both with

tmsh edit /sys sshd all-properties

and then use vi to have following config:

sys sshd {
allow { ALL }
banner disabled
banner-text none
description none
inactivity-timeout 0
include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256"
log-level info
login enabled
port 22
}

This clearly described in KB80425458, but it not clear how it can be automated to configure from script/role.

Can anyone suggest how to configure both, ciphers and MAC algorithms by tmsh modify command?

1 REPLY 1

yurnov
Nimbostratus
Nimbostratus

To clarify, in case of:

tmsh modify /sys sshd include none
tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr'
tmsh modify /sys sshd include 'MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256'

only latest incude statement appeared in config

and

tmsh modify /sys sshd include 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n MACs hmac-sha1,hmac-md5,hmac-sha2-512,hmac-sha2-256'

failed