https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/421267#M93933 <P><SPAN>to set the cipher suites only on the management interface, you can use a profile&nbsp;for SSH&nbsp;the set of commands is&nbsp;</SPAN></P><PRE>&gt; configure # delete deviceconfig system ssh # set deviceconfig system ssh ciphers mgmt aes256-ctr # set deviceconfig system ssh ciphers mgmt aes256-gcm # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 # set deviceconfig system ssh session-rekey mgmt interval 3600 # set deviceconfig system ssh mac mgmt hmac-sha2-256 # set deviceconfig system ssh mac mgmt hmac-sha2-512 # commit # exit &gt; set ssh service-restart mgmt</PRE> Thu, 22 Jul 2021 09:58:41 GMT blocker95848 2021-07-22T09:58:41Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/420903#M93908 <P>&nbsp;</P><P>We are using OpenSSH v8.2 cannot connect to SSH hosts with SSH Proxy enabled (SSH Decryption).</P><P>&nbsp;</P><P>Testing showing that this is due to the Palo Alto attempting to use RSA with SHA1 which has been removed by OpenSSH in v8.2.</P><P>&nbsp;</P><P>&nbsp;</P><P>Is there a way we can configure the Palo Alto to disable RSA/SHA1 for SSH?</P><P>&nbsp;</P> Tue, 20 Jul 2021 22:55:43 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/420903#M93908 Jatin.Singh 2021-07-20T22:55:43Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/421037#M93919 <P>Hello,</P><P>If these hosts are internal, why not bypass decryption for them from trusted hosts/users?&nbsp;</P><P>&nbsp;</P><P>Regards,</P> Wed, 21 Jul 2021 14:57:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/421037#M93919 OtakarKlier 2021-07-21T14:57:32Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/421267#M93933 <P><SPAN>to set the cipher suites only on the management interface, you can use a profile&nbsp;for SSH&nbsp;the set of commands is&nbsp;</SPAN></P><PRE>&gt; configure # delete deviceconfig system ssh # set deviceconfig system ssh ciphers mgmt aes256-ctr # set deviceconfig system ssh ciphers mgmt aes256-gcm # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 # set deviceconfig system ssh session-rekey mgmt interval 3600 # set deviceconfig system ssh mac mgmt hmac-sha2-256 # set deviceconfig system ssh mac mgmt hmac-sha2-512 # commit # exit &gt; set ssh service-restart mgmt</PRE> Thu, 22 Jul 2021 09:58:41 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/421267#M93933 blocker95848 2021-07-22T09:58:41Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/549456#M112114 <P>You can also configure the SSH profile directly from the firewall; caveat - you will still need to run the restart command listed above by&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="UserName lia-user-name lia-user-rank-L0-Member lia-component-message-view-widget-author-username"><A id="link_18" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/188319" target="_self" aria-label="View Profile of blocker95848"><SPAN class="">@Blocker95848</SPAN></A></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zmacharia_PA_1-1689529866214.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51620iFFDD74589DEF5993/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zmacharia_PA_1-1689529866214.png" alt="zmacharia_PA_1-1689529866214.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zmacharia_PA_0-1689529842973.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51619i751344E6BAECD378/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zmacharia_PA_0-1689529842973.png" alt="zmacharia_PA_0-1689529842973.png" /></span></P> <P>&nbsp;</P> Sun, 16 Jul 2023 17:54:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/549456#M112114 zmacharia_PA 2023-07-16T17:54:30Z https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/549462#M112117 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/114565">@Jatin.Singh</a> ,</P> <P>&nbsp;</P> <P>That is a great question.&nbsp; It would be nice to disabled protocols on the SSH Proxy tab of the decryption profile, but you can't.&nbsp; The only purpose for SSH Proxy is to be able to detect the ssh-tunnel App-ID.&nbsp; The NGFW does not actually perform content inspection on the decrypted traffic.&nbsp; I would disable it as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a> mentioned.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 17 Jul 2023 01:23:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-disable-rsa-sha1-on-palo-alto-device-for-ssh-access/m-p/549462#M112117 TomYoung 2023-07-17T01:23:10Z