Limiting SSH ciphers and MAC algorithms in Messaging Gateway
search cancel

Limiting SSH ciphers and MAC algorithms in Messaging Gateway

book

Article ID: 163608

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You want to limit the ciphers and/or Message Authentication Code (MAC) algorithms used by the Messaging Gateway SSH service.

Cause

Messaging Gateway ships with the default set of SSH ciphers and message MAC algorithms but this set of algorithms can be limited to a smaller set of more secure ciphers and algorithms using the 'sshd-config' command line interface (CLI) command.

Resolution

The sshd-config command was upgraded in the 10.7.5 version release, both the newer and the older information is listed here.

Usage for the sshd-config command:

Version 10.7.5

Usage: sshd-config (--list | --help)
       sshd-config --add (allow|deny)
       sshd-config --delete (allow|deny) <rule#>
       sshd-config --view
       sshd-config (--protocol | --ciphers | --macs | --kexalgorithms) <new_setting>
       sshd-config --keygen <type> [ --bits <bits> ]

Options:
    -h,--help      Show more extensive help
    -l,--list           List current rules
    -a,--add            Add more allow/deny rules
    -d,--delete         Delete a rule by number
    -v,--view           Display ciphers/macs/kexalgorithm settings
    -p,--protocol       Set the allowed protocols (to <new_setting> )
    -c,--ciphers        Set the allowed ciphers (to <new_setting> )
    -m,--macs           Set the allowed message authentication codes (to <new_setting> )
    -k,--kexalgorithms  Set the allowed key exchange algorithms (to <new_setting> )
    -y,--keygen         Regenerate ssh key (of <type> )
    -b,--bits           specify the number of bits for a new key to be generated

In version 10.7.5 and newer, you can explicitly specify what ciphers and MAC algorithms to use with the --ciphers and --macs options. Broadcom does not have specific recommendations for this, allowable configurations can be found in the following SSH configuration information:

https://www.ssh.com/academy/ssh/sshd_config

Disabling CBC Ciphers

reference [10.8.0-7]> sshd-config --ciphers 'aes128-ctr,aes192-ctr,aes256-ctr'
Previous setting for Ciphers:
        3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
New setting for Ciphers:
        aes128-ctr,aes192-ctr,aes256-ctr

Do you wish to make this change? (yes/no) yes

 

Versions 10.7.4 and previous:

Usage: sshd-config (--list | --help)
       sshd-config --add (allow|deny) 
       sshd-config --delete (allow|deny) <rule#>
       sshd-config --version [1|2]
       sshd-config --cbc [on|off]
       sshd-config --mac [on|off]

Options:
    -h,--help      Show more extensive help
    -l,--list      List current rules
    -a,--add       Add more allow/deny rules
    -d,--delete    Delete a rule by number
    -v,--version   Show or change the version number
    -c,--cbc       Turn on or off support for CBC ciphers
    -m,--mac       Turn on or off the limited support for hmac algorithms

 

Disabling CBC Ciphers

To disable the use of CBC ciphers by the SMG SSH service, run the following command on rach SMG appliance of virtual machine:

sshd-config --cbc off

Disabling insecure MAC Algorithms

To enable limiting of MAC algorithms to a secure set, run the following command on rach SMG appliance of virtual machine:

smg> sshd-config --mac on