HPE Community
Servers - General
1820636 Members
1742 Online
109626 Solutions
New Discussion

ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

 
SOLVED
Go to solution
sakura87c
Occasional Advisor

‎09-02-2024 12:21 AM - last edited on ‎09-08-2024 05:29 PM by

‎09-02-2024 12:21 AM - last edited on ‎09-08-2024 05:29 PM by

ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

How can I disable SHA-1 and HMAC algorithms on the SSH service of iLO 5?

There is no option i iLO5 portal and, if High Security is applied in Encrytion settings, weak ciphers like sha1 and ssh-rsa are still used, see SSH trace:

 

[LOCAL] : SEND : KEXINIT

[LOCAL] : RECV : Read kexinit

[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp384

[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1

[LOCAL] : Available Remote Host Key Algos = ssh-rsa

 

 

0 Kudos
Reply
9 REPLIES 9
Greeshma21
HPE Pro

‎09-02-2024 10:10 PM

‎09-02-2024 10:10 PM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Hi @sakura87c 

You can refer to this document. It might help you.

 

Regards,
Greeshma


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
sakura87c
Occasional Advisor

‎09-03-2024 12:01 AM

‎09-03-2024 12:01 AM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

That document explains hot to configure sshd_config, and that's not possinble in iLO5 environment.

0 Kudos
Reply
Bunsol
HPE Pro

‎09-03-2024 10:48 PM

‎09-03-2024 10:48 PM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Please check if this is the setting you are looking for:-
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-53B58A1B-438D-46EA-B867-54B3D0F56F9E.html


If you feel this was helpful please click the KUDOS! Thumbs below!

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
sakura87c
Occasional Advisor

‎09-05-2024 08:41 AM

‎09-05-2024 08:41 AM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Hi,

Thanx a lot for link!!

For me it is clear now that Security State must be set to High Security in order to disable weak ciphers.

However, High Security is still not disabling weak SSH HostKey ssh-rsa. How can I change SSH HostKey, for instance, to ssh-dsa?

0 Kudos
Reply
Bunsol
HPE Pro

‎09-05-2024 05:10 PM

‎09-05-2024 05:10 PM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Weak SSH host key needs to be disabled from the Operating system. Please check with the OS vendor for the same.


If you feel this was helpful please click the KUDOS! Thumbs below!

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
sakura87c
Occasional Advisor

‎09-09-2024 12:42 AM - last edited on ‎09-10-2024 11:32 PM by

‎09-09-2024 12:42 AM - last edited on ‎09-10-2024 11:32 PM by

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Hello @Bunsol ,

 

As I posted previously, following line is traced form my SSH client:

[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp384

 

This means that server my ssh client is connecting to is suggesting KexMethods available from server side.

Actually, as per documentation you provided: https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-53B58A1B-438D-46EA-B867-54B3D0F56F9E.html

It says clearly that  diffie-hellman-group14-sha1 is only supported in Production state, not in High Security, see documentation:

Production

  • AES256-CBC, AES128-CBC, 3DES-CBC, AES256-CTR, AEAD_AES_256_GCM, and AES256-GCM ciphers

    • diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1, and ecdh-sha2-nistp384 key exchange

    • hmac-sha1, hmac-sha2-256, and AEAD_AES_256_GCM MACs

FIPS or High Security

  • AES256-CTR, AEAD_AES_256_GCM, and AES256-GCM ciphers

    • diffie-hellman-group-exchange-sha256 and ecdh-sha2-nistp384 key exchange

    • hmac-sha2-256 or AEAD_AES_256_GCM MACs

 

So why is server suggesting this cipher?

 

 

 

0 Kudos
Reply
Bunsol
HPE Pro

‎09-15-2024 05:25 PM

‎09-15-2024 05:25 PM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

These are the modes available. If you want to understand why these ciphers are used please log a support case so that this can be investigated further.


If you feel this was helpful please click the KUDOS! Thumbs below!

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
sakura87c
Occasional Advisor

‎09-24-2024 07:50 AM

‎09-24-2024 07:50 AM

Solution

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Hello,

 

I have updated iLO firmware to 3.08 and weak ciphers have disappeared. See SSH client trace:

 

[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp384

[LOCAL] : Selected Kex Method = ecdh-sha2-nistp384

[LOCAL] : Available Remote Host Key Algos = rsa-sha2-512,rsa-sha2-256

[LOCAL] : Selected Host Key Algo = 

[LOCAL] : Available Remote Send Ciphers = aes256-ctr,AEAD_AES_256_GCM,aes256-gcm@openssh.com

[LOCAL] : Selected Send Cipher = aes256-ctr

[LOCAL] : Available Remote Recv Ciphers = aes256-ctr,AEAD_AES_256_GCM,aes256-gcm@openssh.com

[LOCAL] : Selected Recv Cipher = aes256-ctr

[LOCAL] : Available Remote Send Macs = hmac-sha2-256,AEAD_AES_256_GCM

[LOCAL] : Selected Send Mac = hmac-sha2-256

[LOCAL] : Available Remote Recv Macs = hmac-sha2-256,AEAD_AES_256_GCM

[LOCAL] : Selected Recv Mac = hmac-sha2-256

 

For me this issue is solved already.

 

Cheers!!

Reply
Sunitha_Mod
Moderator

‎09-27-2024 12:56 AM

‎09-27-2024 12:56 AM

Re: ProLiant DL380 Gen10 - SSH SHA-1 HMAC Algorithms Enabled (Port 22)

Hello @sakura87c,

That's Awesome! 

We are extremely glad to know the issue has been resolved and we appreciate you for keeping us updated. 



Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.