topic Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms in Operating System - HP-UX

Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms

chindi — Wed, 07 Jan 2015 07:14:41 GMT

Hi ,

We have been asked to carry out the following activities by Audit team for hpux 11iv3 servers ;

1) Observation:--The SSH server is configured to use Cipher Block Chaining.
Recommendation :--Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

2) Observation:--SSH is configured to allow MD5 and 96-bit MAC algorithms.
Recommendation :-Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.

Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms

Patrick Wallek — Wed, 07 Jan 2015 15:06:51 GMT

There are a couple of sections in the ssh_config and sshd_config files that can be changed.

Those are the "Ciphers" and the "MACs" sections of the config files.

From the man page for ssh_config and sshd_config:

Ciphers

Specifies the ciphers allowed for protocol version 2 in order ofpreference. Multiple ciphers must be comma-separated. Thesupported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',and ``cast128-cbc''.

The default is:

aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr

MACs

Specifies the MAC (message authentication code) algorithms inorder of preference. The MAC algorithm is used in protocolversion 2 for data integrity protection. Multiple algorithmsmust be comma-separated. The algorithms that contain ``-etm''calculate the MAC after encryption (encrypt-then-mac). These areconsidered safer and their use recommended.

The default is:

``hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com, umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com<mailto:umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com>, hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com<mailto:hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com>, hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.

The lines in the ssh_config file, which are commented out on one of my test system are:

# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

The sshd_config file does not have any example lines in it, but you can add the Ciphers and MACs line, exactly like the ssh_config file.

If you want to change them, uncomment the appropriate lines and add/change the appropriate items for each line. I would then stop / restart SSH to test the changes.

Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms

mrmahdy — Tue, 05 May 2020 18:18:49 GMT

Hi Patrick,

What commands do I need to make the changes to these files?

ssh_config and sshd_config files

Thank you

Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms

Dskmn — Tue, 12 Sep 2023 18:30:39 GMT

Did you manage to find the answer of how to edit these files? WinSCP isn't working. I can connect via SSH but like you I can't find the commands needed to edit the files.

Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms

Sunitha_Mod — Fri, 15 Sep 2023 04:23:15 GMT

Hello @Dskmn,

Thank you for posting! Since you have posted in an old topic and there is no response yet, I would recommend you create a new topic using the "New Discussion" button, so the experts can check and guide you further.