How to disable SSH weak algorithm supported

Reply
L0 Member

How to disable SSH weak algorithm supported

We used Nessus to run security scan on the PA-5220 we are trying out and it came back with the following medium vulnerability:

https://www.tenable.com/plugins/nessus/90317

The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.

Contact the vendor or consult product documentation to remove the weak ciphers

 

 

Any idea how to remove/disable the weak ciphers?

Tags (2)
L7 Applicator

Re: How to disable SSH weak algorithm supported

Highlighted
L0 Member

Re: How to disable SSH weak algorithm supported

Starting from PAN-OS 8.0 we have introduced the capability to select Ciphers for admin SSH connections. Run the following commands to disable weak Cipher Suits:

 

>configure
#delete deviceconfig system ssh

#set deviceconfig system ssh ciphers mgmt aes128-cbc
#set deviceconfig system ssh ciphers mgmt aes192-cbc
#set deviceconfig system ssh ciphers mgmt aes256-cbc
#set deviceconfig system ssh ciphers mgmt aes128-ctr
#set deviceconfig system ssh ciphers mgmt aes192-ctr
#set deviceconfig system ssh ciphers mgmt aes256-ctr
#set deviceconfig system ssh ciphers mgmt aes128-gcm
#set deviceconfig system ssh ciphers mgmt aes256-gcm

# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048
# set deviceconfig system ssh session-rekey mgmt interval 3600

# commit

Exit from config mode by typing 'exit'

> set ssh service-restart mgmt

L0 Member

Re: How to disable SSH weak algorithm supported

Having tried the manual cipher configuration on PAN VMs it then renders SSH useless from the client side. The error seen then is:

"no hostkey alg"

L2 Linker

Re: How to disable SSH weak algorithm supported

Is there any other solution to fix in  PANOS-7.1.14 with out upgarding to 8.x.x and running the mentioned command?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!