Question & Answer
Question
In OpenSSH, you can choose which Kex Exchange (KEX), Media Access Control (MAC) & Cipher algorithms to use by modifying the server (sshd_config) and/or client (ssh_config) configuration files. This gives you greater control over which algorithms to use on inbound or outbound OpenSSH connections on your IBM i Server. For example, you can limit OpenSSH to use only certain algorithms or you can include algorithms that were removed from its default lists.
IBM strongly recommends that you always run your IBM i server with the KEX, MAC and CIPHERS with only the default ones enabled . NOTE: Configuring your IBM i server to allow the use of weak CIPHER's, KEX, and MAC's will result in your IBM i server potentially being at risk of a network security breach. IBM DISCLAIMS AND YOU ASSUME ALL RESPONSIBILITY AND LIABILITY FOR ANY DAMAGE OR LOSS, INCLUDING LOSS OF DATA, ARISING OUT OF OR RELATED TO YOUR USE OF THE SPECIFIED KEX, MAC and CIPHERS .
Further information on what the current defaults are for openssh can be found on https://www.openssh.com/manual.html then reviewing the sections ssh_config(client) and sshd_config(server).
You can see a list of all supported algorithms by entering into pase (call qp2term) and entering the following commands
ssh -Q cipher
ssh -Q kex
ssh -Q mac
Once you have determined if there are any algorithms you would like to add or remove, you can control which ones will be provided on outbound (client initiated connections) or inbound (connections initiated from a remote server) by editing one or both of the configuration files (ssh_config or sshd_config) provided with the OpenSSH LPP 5733SC1. On 7.2+ IBM i Servers, the OpenSSH configuration files are located in IFS directory '/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc'.
The recommended method to modify the algorithms in the OpenSSH configuration files is to either use the + sign to add or the - sign to adjust the default lists. This option is available at OpenSSH 8.0p1 and later. To find out which version of OpenSSH is running on your IBM i Server, execute the commands below:
call qp2term <enter>
ssh -V <enter>
This will return the version of OpenSSH that your IBM i Server is operating at. If your server is not at OpenSSH version 8.0p1(Release 720 to 740) we recommend installing the latest 5733SC1 PTFs for R720-R740. If your R750+ system is not at or 8.6.p1 R750 then you would need to verify you have the R750 version for 5733sc1 installed. Once this is done or your system was already at 8.6p1 we would recommend installing the latest ptfs for openssh R750.
The latest 5733SC1 PTFs can be found at the URL below:https://www.ibm.com/support/pages/5733-sc1-ptfs
Below are some examples on how an entry would look for adding or removing ciphers.
To add a CIPHER, KEX or MAC you would add
- Cipher +
- Macs +
- KexAlgorithms +
- Then behind the + you would add the algorithm(s) you would want to include beyond the default list
- To remove a CIPHER, KEX or MAC you would add
- Cipher -
- Macs -
- KexAlgorithms -
- Then behind the - you would add the algorithm(s) you would like to remove from the default list.
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CKoAAM","label":"Communications-\u003ESFTP and SSH or Secure Shell"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 February 2024
UID
ibm17111089