You want to limit the ciphers and/or Message Authentication Code (MAC) algorithms used by the Messaging Gateway SSH service.
Messaging Gateway ships with the default set of SSH ciphers and message MAC algorithms but this set of algorithms can be limited to a smaller set of more secure ciphers and algorithms using the 'sshd-config
' command line interface (CLI) command.
The sshd-config command was upgraded in the 10.7.5 version release, both the newer and the older information is listed here.
Usage for the sshd-config command:
Usage: sshd-config (--list | --help)
sshd-config --add (allow|deny)
sshd-config --delete (allow|deny) <rule#>
sshd-config --view
sshd-config (--protocol | --ciphers | --macs | --kexalgorithms) <new_setting>
sshd-config --keygen <type> [ --bits <bits> ]
Options:
-h,--help Show more extensive help
-l,--list List current rules
-a,--add Add more allow/deny rules
-d,--delete Delete a rule by number
-v,--view Display ciphers/macs/kexalgorithm settings
-p,--protocol Set the allowed protocols (to <new_setting> )
-c,--ciphers Set the allowed ciphers (to <new_setting> )
-m,--macs Set the allowed message authentication codes (to <new_setting> )
-k,--kexalgorithms Set the allowed key exchange algorithms (to <new_setting> )
-y,--keygen Regenerate ssh key (of <type> )
-b,--bits specify the number of bits for a new key to be generated
In version 10.7.5 and newer, you can explicitly specify what ciphers and MAC algorithms to use with the --ciphers and --macs options. Broadcom does not have specific recommendations for this, allowable configurations can be found in the following SSH configuration information:
https://www.ssh.com/academy/ssh/sshd_config
Disabling CBC Ciphers
reference [10.8.0-7]> sshd-config --ciphers 'aes128-ctr,aes192-ctr,aes256-ctr'
Previous setting for Ciphers:
3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
New setting for Ciphers:
aes128-ctr,aes192-ctr,aes256-ctr
Do you wish to make this change? (yes/no) yes
Versions 10.7.4 and previous:
Usage: sshd-config (--list | --help)
sshd-config --add (allow|deny)
sshd-config --delete (allow|deny) <rule#>
sshd-config --version [1|2]
sshd-config --cbc [on|off]
sshd-config --mac [on|off]
Options:
-h,--help Show more extensive help
-l,--list List current rules
-a,--add Add more allow/deny rules
-d,--delete Delete a rule by number
-v,--version Show or change the version number
-c,--cbc Turn on or off support for CBC ciphers
-m,--mac Turn on or off the limited support for hmac algorithms
Disabling CBC Ciphers
To disable the use of CBC ciphers by the SMG SSH service, run the following command on rach SMG appliance of virtual machine:
sshd-config --cbc off
Disabling insecure MAC Algorithms
To enable limiting of MAC algorithms to a secure set, run the following command on rach SMG appliance of virtual machine:
smg> sshd-config --mac on