https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/426537#M94507 <P>Hi Team,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; As per below I could understand the CBC&nbsp;mode cipher encryption was handling by server not firewall right ? correct me If I'm wrong ...... Also for that we need to reach the concern server OS vendor or support to change encryption CBC to CTR, GCM encryption.</P><P>&nbsp;</P><P><STRONG>&nbsp;IBM SERVER</STRONG></P><P><A href="https://www.ibm.com/support/pages/disabling-cipher-block-chaining-cbc-mode-ciphers-and-weak-mac-algorithms-ssh-ibm-puredata-system-operational-analytics" target="_blank">https://www.ibm.com/support/pages/disabling-cipher-block-chaining-cbc-mode-ciphers-and-weak-mac-algorithms-ssh-ibm-puredata-system-operational-analytics</A></P><P>&nbsp;</P><P>PA-Community-post</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/ssh-ssl-issues-reported-from-vulnerability-assessment/td-p/143014" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/ssh-ssl-issues-reported-from-vulnerability-assessment/td-p/143014</A></P><P>&nbsp;</P><P>Regards</P><P>Kirubakaran.M</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 Aug 2021 14:31:46 GMT KirubaKaran 2021-08-12T14:31:46Z https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/101286#M44461 <P>Hi,</P><P>&nbsp;</P><P>May I check if it is possible to disable SSH CBC cipher and weak MAC hashing on Palo Alto Firewall?</P><P>If so, may I know how to do it.</P><P>&nbsp;</P><P>Had no luck searching for a solution online.</P><P>Seems like there is no menu/config file (e.g. /etc/ssh/ssh_config) to edit such settings.</P><P>&nbsp;</P><P>This is with relation to Nessus vulnerability findings.</P><P>Try to see how it can be addressed.</P><P>&nbsp;</P><P><A href="https://www.tenable.com/plugins/index.php?view=single&amp;id=70658" target="_blank">https://www.tenable.com/plugins/index.php?view=single&amp;id=70658</A></P><P><A href="https://www.tenable.com/plugins/index.php?view=single&amp;id=71049" target="_blank">https://www.tenable.com/plugins/index.php?view=single&amp;id=71049</A></P><P>&nbsp;</P><P>Thank you in advance</P> Fri, 05 Aug 2016 08:16:03 GMT https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/101286#M44461 boss82 2016-08-05T08:16:03Z https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/104390#M44687 <P>Hey,</P> <P>&nbsp;</P> <P>Even the latest Pan-OS version running in FIPS mode still has cbc enabled. There is not a way to modify this.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Non-FIPS/CC mode&nbsp;</SPAN></P> <P>Decryption (SSHv2 only)&nbsp;</P> <P>Ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc&nbsp;</P> <P>MAC Algorithms: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96&nbsp;</P> <P>aes192-ctr</P> <P>aes256-ctr</P> <P>aes128-gcm</P> <P>aes256-gcm</P> <P>&nbsp;</P> <P><SPAN>FIPS/CC mode&nbsp;</SPAN></P> <P>HMAC – HMAC-SHA-1&nbsp;</P> <P>Authentication – RSA (2048 bit key only)&nbsp;</P> <P>Key agreement – DH Group 14 (2048 bit)&nbsp;</P> <P>Symmetric Algorithm – AES128, AES192, or AES256 (CBC or CTR for all three)&nbsp;</P> Thu, 18 Aug 2016 23:08:09 GMT https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/104390#M44687 mmmccorkle 2016-08-18T23:08:09Z https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/285316#M76412 <P>Good link for setting ciphers.&nbsp; Remember do not include CBC in your config.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection#" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection#</A></P><P>&nbsp;</P><P>For MAC's I used these:</P><PRE>configure set deviceconfig system ssh mac mgmt hmac-sha1 set deviceconfig system ssh mac mgmt hmac-sha2-256 set deviceconfig system ssh mac mgmt hmac-sha2-512 commit</PRE> Tue, 27 Aug 2019 16:19:49 GMT https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/285316#M76412 Dave_Fitzjarrell 2019-08-27T16:19:49Z https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/426537#M94507 <P>Hi Team,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; As per below I could understand the CBC&nbsp;mode cipher encryption was handling by server not firewall right ? correct me If I'm wrong ...... Also for that we need to reach the concern server OS vendor or support to change encryption CBC to CTR, GCM encryption.</P><P>&nbsp;</P><P><STRONG>&nbsp;IBM SERVER</STRONG></P><P><A href="https://www.ibm.com/support/pages/disabling-cipher-block-chaining-cbc-mode-ciphers-and-weak-mac-algorithms-ssh-ibm-puredata-system-operational-analytics" target="_blank">https://www.ibm.com/support/pages/disabling-cipher-block-chaining-cbc-mode-ciphers-and-weak-mac-algorithms-ssh-ibm-puredata-system-operational-analytics</A></P><P>&nbsp;</P><P>PA-Community-post</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/ssh-ssl-issues-reported-from-vulnerability-assessment/td-p/143014" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/ssh-ssl-issues-reported-from-vulnerability-assessment/td-p/143014</A></P><P>&nbsp;</P><P>Regards</P><P>Kirubakaran.M</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 Aug 2021 14:31:46 GMT https://live.paloaltonetworks.com/t5/general-topics/possible-to-disable-ssh-cbc-cipher-and-weak-mac-hashing/m-p/426537#M94507 KirubaKaran 2021-08-12T14:31:46Z