https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/234975#M67366 <P>Starting from PAN-OS 8.0 we have introduced the capability to select Ciphers for admin SSH connections. Run the following commands to disable weak Cipher Suits:</P><P>&nbsp;</P><P>&gt;configure<BR />#delete deviceconfig system ssh</P><P>#set deviceconfig system ssh ciphers mgmt aes128-cbc<BR />#set deviceconfig system ssh ciphers mgmt aes192-cbc<BR />#set deviceconfig system ssh ciphers mgmt aes256-cbc<BR />#set deviceconfig system ssh ciphers mgmt aes128-ctr<BR />#set deviceconfig system ssh ciphers mgmt aes192-ctr<BR />#set deviceconfig system ssh ciphers mgmt aes256-ctr<BR />#set deviceconfig system ssh ciphers mgmt aes128-gcm<BR />#set deviceconfig system ssh ciphers mgmt aes256-gcm</P><P># set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048<BR /># set deviceconfig system ssh session-rekey mgmt interval 3600</P><P># commit</P><P>Exit from config mode by typing 'exit'</P><P>&gt; set ssh service-restart mgmt</P> Thu, 11 Oct 2018 18:13:46 GMT jvarghese 2018-10-11T18:13:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/204407#M60131 <P>We used Nessus to run security scan on the PA-5220 we are trying out and it came back with the following medium vulnerability:</P><P><A href="https://www.tenable.com/plugins/nessus/90317" target="_blank">https://www.tenable.com/plugins/nessus/90317</A></P><P><STRONG>The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.</STRONG></P><P><STRONG>Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.</STRONG></P><P><STRONG>Contact the vendor or consult product documentation to remove the weak ciphers</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P>Any idea how to remove/disable the weak ciphers?</P> Thu, 08 Mar 2018 19:52:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/204407#M60131 cnarvasa 2018-03-08T19:52:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/204473#M60136 <P>Hello,</P><P>This might help.</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-data-center/data-center-best-practice-security-policy/how-to-decrypt-data-center-traffic/create-the-data-center-best-practice-decryption-profile.html" target="_blank">https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-data-center/data-center-best-practice-security-policy/how-to-decrypt-data-center-traffic/create-the-data-center-best-practice-decryption-profile.html</A></P><P>&nbsp;</P><P>Regards,</P> Thu, 08 Mar 2018 22:46:39 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/204473#M60136 OtakarKlier 2018-03-08T22:46:39Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/234975#M67366 <P>Starting from PAN-OS 8.0 we have introduced the capability to select Ciphers for admin SSH connections. Run the following commands to disable weak Cipher Suits:</P><P>&nbsp;</P><P>&gt;configure<BR />#delete deviceconfig system ssh</P><P>#set deviceconfig system ssh ciphers mgmt aes128-cbc<BR />#set deviceconfig system ssh ciphers mgmt aes192-cbc<BR />#set deviceconfig system ssh ciphers mgmt aes256-cbc<BR />#set deviceconfig system ssh ciphers mgmt aes128-ctr<BR />#set deviceconfig system ssh ciphers mgmt aes192-ctr<BR />#set deviceconfig system ssh ciphers mgmt aes256-ctr<BR />#set deviceconfig system ssh ciphers mgmt aes128-gcm<BR />#set deviceconfig system ssh ciphers mgmt aes256-gcm</P><P># set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048<BR /># set deviceconfig system ssh session-rekey mgmt interval 3600</P><P># commit</P><P>Exit from config mode by typing 'exit'</P><P>&gt; set ssh service-restart mgmt</P> Thu, 11 Oct 2018 18:13:46 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/234975#M67366 jvarghese 2018-10-11T18:13:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/235173#M67428 <P>Having tried the manual cipher configuration on PAN VMs it then renders SSH useless from the client side. The error seen then is:</P><P>"no hostkey alg"</P> Fri, 12 Oct 2018 18:06:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/235173#M67428 louisbolanos 2018-10-12T18:06:34Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/259761#M73627 <P>Is there any other solution to fix in&nbsp;&nbsp;<SPAN>PANOS-7.1.14 with out upgarding to 8.x.x and running the mentioned command?</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Fri, 03 May 2019 17:25:49 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/259761#M73627 sarumughan 2019-05-03T17:25:49Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/277676#M75483 <P>I found steps on the link below, I hope they will be helpful.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection#" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection#</A></P> Fri, 19 Jul 2019 06:29:17 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-ssh-weak-algorithm-supported/m-p/277676#M75483 cniwagaba 2019-07-19T06:29:17Z