- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Disable CBC mode cipher encryption , MD5 and 96-bi...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 11:14 PM
01-06-2015 11:14 PM
Hi ,
We have been asked to carry out the following activities by Audit team for hpux 11iv3 servers ;
1) Observation:--The SSH server is configured to use Cipher Block Chaining.
Recommendation :--Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
2) Observation:--SSH is configured to allow MD5 and 96-bit MAC algorithms.
Recommendation :-Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Solved! Go to Solution.
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2015 07:06 AM
01-07-2015 07:06 AM
SolutionThere are a couple of sections in the ssh_config and sshd_config files that can be changed.
Those are the "Ciphers" and the "MACs" sections of the config files.
From the man page for ssh_config and sshd_config:
Ciphers
Specifies the ciphers allowed for protocol version 2 in order ofpreference. Multiple ciphers must be comma-separated. Thesupported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',and ``cast128-cbc''.
The default is:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs
Specifies the MAC (message authentication code) algorithms inorder of preference. The MAC algorithm is used in protocolversion 2 for data integrity protection. Multiple algorithmsmust be comma-separated. The algorithms that contain ``-etm''calculate the MAC after encryption (encrypt-then-mac). These areconsidered safer and their use recommended.
The default is:
``hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com, umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com<mailto:umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com>, hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com<mailto:hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com>, hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
The lines in the ssh_config file, which are commented out on one of my test system are:
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
The sshd_config file does not have any example lines in it, but you can add the Ciphers and MACs line, exactly like the ssh_config file.
If you want to change them, uncomment the appropriate lines and add/change the appropriate items for each line. I would then stop / restart SSH to test the changes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2020 11:18 AM
05-05-2020 11:18 AM
Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms
Hi Patrick,
What commands do I need to make the changes to these files?
ssh_config and sshd_config files
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2023 11:30 AM
09-12-2023 11:30 AM
Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms
Did you manage to find the answer of how to edit these files? WinSCP isn't working. I can connect via SSH but like you I can't find the commands needed to edit the files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2023 09:23 PM
09-14-2023 09:23 PM
Re: Disable CBC mode cipher encryption , MD5 and 96-bit MAC algorithms
Hello @Dskmn,
Thank you for posting! Since you have posted in an old topic and there is no response yet, I would recommend you create a new topic using the "New Discussion" button, so the experts can check and guide you further.
Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
