IBM Support

Disabling Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH in an IBM PureData System for Operational Analytics

Question & Answer


Question

Disabling Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH in an IBM PureData System for Operational Analytics

Answer

You may have run a security scan or your auditor may have highlighted the following SSH vulnerabilities and you would like to address them.


    SSH Server CBC Mode Ciphers Enabled
   SSH Weak MAC Algorithms Enabled

The default /etc/ssh/sshd_config file may contain lines similar to the ones below:


# default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
# aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
# aes256-cbc,arcfour


# default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

To disable CBC mode ciphers and weak MAC algorithms (MD5 and -96), add the following lines into the /etc/ssh/sshd_config file.


Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Restart ssh after you have made the changes.


stopsrc -s sshd
startsrc -s sshd

You can test the new configuration using

ssh -vvv -F <ssh_config> <hostname>

You can create a temporary configuration file to test the changes included before implementing them in /etc/ssh/sshd_config.

The example below uses a temporary configuration file /etc/ssh/sshd_config_tmp to test the changes against the HMC server using hscroot user.


$ ssh -vvv -F /etc/ssh/sshd_config_tmp hscroot@172.23.1.8
OpenSSH_6.0p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh/sshd_config_tmp
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: arcfour256 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: cipher ok: arcfour128 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128]
debug2: mac_setup: found hmac-sha1
debug3: mac ok: hmac-sha1 [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
debug2: mac_setup: found umac-64@openssh.com
debug3: mac ok: umac-64@openssh.com [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
debug2: mac_setup: found hmac-ripemd160
debug3: mac ok: hmac-ripemd160 [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]
debug3: macs ok: [hmac-sha1,umac-64@openssh.com,hmac-ripemd160]

[{"Product":{"code":"SSH2TE","label":"PureData System for Operational Analytics"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 October 2019

UID

swg21700389