Question & Answer
Question
Disabling Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH in an IBM PureData System for Operational Analytics
Answer
You may have run a security scan or your auditor may have highlighted the following SSH vulnerabilities and you would like to address them.
SSH Server CBC Mode Ciphers Enabled
SSH Weak MAC Algorithms Enabled
The default /etc/ssh/sshd_config file may contain lines similar to the ones below:
# default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
# aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
# aes256-cbc,arcfour
# default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
To disable CBC mode ciphers and weak MAC algorithms (MD5 and -96), add the following lines into the /etc/ssh/sshd_config file.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
Restart ssh after you have made the changes.
stopsrc -s sshd
startsrc -s sshd
You can test the new configuration using
ssh -vvv -F <ssh_config> <hostname>
You can create a temporary configuration file to test the changes included before implementing them in /etc/ssh/sshd_config.
The example below uses a temporary configuration file /etc/ssh/sshd_config_tmp to test the changes against the HMC server using hscroot user.
$ ssh -vvv -F /etc/ssh/sshd_config_tmp hscroot@172.23.1.8
OpenSSH_6.0p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh/sshd_config_tmp
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: arcfour256 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: arcfour128 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug2: mac_setup: found hmac-sha1
debug3: mac ok: hmac-sha1 [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
debug2: mac_setup: found umac-64@openssh.com
debug3: mac ok: umac-64@openssh.com [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
debug2: mac_setup: found hmac-ripemd160
debug3: mac ok: hmac-ripemd160 [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
debug3: macs ok: [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21700389