IBM Support

Disabling SSH Weak ciphers vulnerability - HMC V8

Question & Answer


Question

HMC has SSH Weak ciphers "arcfour,arcfour128,arcfour256".

Cause

You may have run a security scan or your auditor may have highlighted that "SSH Weak Algorithms Supported" and you would like to address them.

"The following Weak server-to-client encryption algorithms are supported : arcfour,arcfour128,arcfour256".

Answer

- Run lshmcencr to list ssh ciphers:

lshmcencr -c ssh -t c << to list current ciphers in play.
lshmcencr -c ssh -t a << to list available ciphers.

- As hscroot run these commands to remove ciphers for ssh:

chhmcencr -c ssh -o r -e arcfour
chhmcencr -c ssh -o r -e arcfour128
chhmcencr -c ssh -o r -e arcfour256



- Reboot HMC afterwards , to apply the changes.

- After rebooting run "lshmcencr -c ssh -t c" again.

- Then submit this HMC for a RESCAN of the Vulnerability tool, those acrfour's should be disabled.

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Not Applicable","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

More support for:
AIX

Software version:
Not Applicable

Operating system(s):
AIX

Document number:
632613

Modified date:
17 June 2018

UID

isg3T1026093

Manage My Notification Subscriptions

Page Feedback