*Urgent* SSH Protocol Version 1

Reply
L2 Linker

*Urgent* SSH Protocol Version 1

Hi Peeps,

I got technical query regarding how to change SSH v1 to SSH v2 in PA firewall, Because one of our customer got an alert from VAPT tool like as follows,.

 

 

Description :- 

 

KPMG test team observed that the Secure Shell protocol version 1 support was enabled on the tested devices.

Secure Shell is typically used as a cryptographically secure alternative to Telnet and other clear-text protocols. In addition to command-based access, Secure Shell services can enable the forwarding of network ports (such as X forwarding) or the transfer of files (such as Secure Copy or Secure File Transfer Protocol).

There are two main versions of the Secure Shell protocol, version 1 and 2. Version 2 was developed to both extend the functionality of the protocol and to enhance security. It is common for Secure Shell servers that support both versions of the protocol to be capable of being configured to support connections from clients using different versions of the protocol in order to maintain backward compatibility.

 

Severity :- Medium

 

CVE/CWE ID :-  N/A

 

Impact :- Although flaws have been identified with Secure Shell protocol version 2, fundamental flaws exist in protocol version 1.

Recommendation :- It is recommended that the Secure Shell service should be reconfigured to only support version 2 of the protocol.

 

 

 

 

Thanks & Regards,
Sahithyan S
L5 Sessionator

Re: *Urgent* SSH Protocol Version 1

I did some research, and if you are on 8.0 and higher, you should be able to configure these

 

configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm

 

Will these work for you?

Help the community: Like helpful comments and mark solutions
L6 Presenter

Re: *Urgent* SSH Protocol Version 1


@SteveCantwell wrote:

I did some research, and if you are on 8.0 and higher, you should be able to configure these

 

configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm

 

Will these work for you?


 

Steve these are just the ciphers...not the version of the SSH protocol.  In your investigation was there are way to actually configure the SSH version used?  If not, I'm guessing the only way to accomplish this setting might be with putting the device into FIPS compliance mode.

L5 Sessionator

Re: *Urgent* SSH Protocol Version 1

These are the supported SSH v2 ciphers.

By configuring and allowing only these, then V1 will not work.

 

So there is no way to disable SSHv1 support, only configuring the FW to allow the stronger ones, if that makes sense.

 

According to research... when the scanner tested again, it passed without warning, which is what you are looking to do, I presume...get the warning to no longer show in a scan?

 

Steve

Help the community: Like helpful comments and mark solutions
L4 Transporter

Re: *Urgent* SSH Protocol Version 1

What version of PanOS are you running?

 

On 8.1.12, the only ciphers available are the ones listed above, there are no others available to choose from.

 

And , if I try to force my SSH client to connect using SSHv1, I get this:

Protocol major versions differ: 1 vs. 2

 

So, it looks like with 8.1 and higher, SSHv1 has been disabled completely.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!