https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/388879#M90558 <P>I have been trying to find out in the release notes to see where SSH version 1 is disabled completely. Any pointers would be appreciate it.&nbsp;</P> Wed, 03 Mar 2021 18:08:00 GMT Ram_Bista 2021-03-03T18:08:00Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305853#M79492 <P>Hi Peeps,</P><P>I got technical query regarding how to change SSH v1 to SSH v2 in PA firewall, Because one of our customer got an alert from VAPT tool like as follows,.</P><P>&nbsp;</P><P>&nbsp;</P><P>Description :-&nbsp;</P><P>&nbsp;</P><P>KPMG test team observed that the Secure Shell protocol version 1 support was enabled on the tested devices.</P><P>Secure Shell is typically used as a cryptographically secure alternative to Telnet and other clear-text protocols. In addition to command-based access, Secure Shell services can enable the forwarding of network ports (such as X forwarding) or the transfer of files (such as Secure Copy or Secure File Transfer Protocol).</P><P>There are two main versions of the Secure Shell protocol, version 1 and 2. Version 2 was developed to both extend the functionality of the protocol and to enhance security. It is common for Secure Shell servers that support both versions of the protocol to be capable of being configured to support connections from clients using different versions of the protocol in order to maintain backward compatibility.</P><P>&nbsp;</P><P>Severity :- Medium</P><P>&nbsp;</P><P>CVE/CWE ID :-&nbsp; N/A</P><P>&nbsp;</P><P>Impact :-&nbsp;Although flaws have been identified with Secure Shell protocol version 2, fundamental flaws exist in protocol version 1.</P><P>Recommendation :-&nbsp;It is recommended that the Secure Shell service should be reconfigured to only support version 2 of the protocol.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Jan 2020 11:06:34 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305853#M79492 sahithyan.subbu 2020-01-07T11:06:34Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305915#M79507 <P>I did some research, and if you are on 8.0 and higher, you should be able to configure these</P><P>&nbsp;</P><P>configure<BR />set deviceconfig system ssh ciphers mgmt aes128-cbc<BR />set deviceconfig system ssh ciphers mgmt aes192-cbc<BR />set deviceconfig system ssh ciphers mgmt aes256-cbc<BR />set deviceconfig system ssh ciphers mgmt aes128-ctr<BR />set deviceconfig system ssh ciphers mgmt aes192-ctr<BR />set deviceconfig system ssh ciphers mgmt aes256-ctr<BR />set deviceconfig system ssh ciphers mgmt aes128-gcm<BR />set deviceconfig system ssh ciphers mgmt aes256-gcm</P><P>&nbsp;</P><P>Will these work for you?</P> Wed, 08 Jan 2020 00:12:59 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305915#M79507 S.Cantwell 2020-01-08T00:12:59Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305916#M79508 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113304">@S.Cantwell</a>&nbsp;wrote:<BR /><P>I did some research, and if you are on 8.0 and higher, you should be able to configure these</P><P>&nbsp;</P><P>configure<BR />set deviceconfig system ssh ciphers mgmt aes128-cbc<BR />set deviceconfig system ssh ciphers mgmt aes192-cbc<BR />set deviceconfig system ssh ciphers mgmt aes256-cbc<BR />set deviceconfig system ssh ciphers mgmt aes128-ctr<BR />set deviceconfig system ssh ciphers mgmt aes192-ctr<BR />set deviceconfig system ssh ciphers mgmt aes256-ctr<BR />set deviceconfig system ssh ciphers mgmt aes128-gcm<BR />set deviceconfig system ssh ciphers mgmt aes256-gcm</P><P>&nbsp;</P><P>Will these work for you?</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>Steve these are just the ciphers...not the version of the SSH protocol.&nbsp; In your investigation was there are way to actually configure the SSH version used?&nbsp; If not, I'm guessing the only way to accomplish this setting might be with putting the device into FIPS compliance mode.</P> Wed, 08 Jan 2020 00:50:09 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305916#M79508 Brandon_Wertz 2020-01-08T00:50:09Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305920#M79509 <P>These are the supported SSH v2 ciphers.</P><P>By configuring and allowing only these, then V1 will not work.</P><P>&nbsp;</P><P>So there is no way to disable SSHv1 support, only configuring the FW to allow the stronger ones, if that makes sense.</P><P>&nbsp;</P><P>According to research... when the scanner tested again, it passed without warning, which is what you are looking to do, I presume...get the warning to no longer show in a scan?</P><P>&nbsp;</P><P>Steve</P> Wed, 08 Jan 2020 01:19:29 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/305920#M79509 S.Cantwell 2020-01-08T01:19:29Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/306847#M79700 <P>What version of PanOS are you running?</P><P>&nbsp;</P><P>On 8.1.12, the only ciphers available are the ones listed above, there are no others available to choose from.</P><P>&nbsp;</P><P>And , if I try to force my SSH client to connect using SSHv1, I get this:</P><P>Protocol major versions differ: 1 vs. 2</P><P>&nbsp;</P><P>So, it looks like with 8.1 and higher, SSHv1 has been disabled completely.</P> Wed, 15 Jan 2020 19:03:42 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/306847#M79700 fjwcash 2020-01-15T19:03:42Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/388879#M90558 <P>I have been trying to find out in the release notes to see where SSH version 1 is disabled completely. Any pointers would be appreciate it.&nbsp;</P> Wed, 03 Mar 2021 18:08:00 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/388879#M90558 Ram_Bista 2021-03-03T18:08:00Z https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/388884#M90561 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/156763">@Ram_Bista</a>&nbsp;</P> <P>&nbsp;</P> <P>I do not believe you will find that SSHv1 has been discontinued.&nbsp;</P> <P>I think it is up to engineers to know and to deprecate SSH v1, to only allow the FW to communicate via SSH v2 ciphers.</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 03 Mar 2021 18:30:31 GMT https://live.paloaltonetworks.com/t5/general-topics/urgent-ssh-protocol-version-1/m-p/388884#M90561 S.Cantwell 2021-03-03T18:30:31Z