This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to disable SSH weak algorithm supported

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to disable SSH weak algorithm supported

cnarvasa
L0 Member

‎03-08-2018 11:52 AM

We used Nessus to run security scan on the PA-5220 we are trying out and it came back with the following medium vulnerability:

https://www.tenable.com/plugins/nessus/90317

The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.

Contact the vendor or consult product documentation to remove the weak ciphers

 

 

Any idea how to remove/disable the weak ciphers?

4 people had this problem.
0 Likes Likes
5 REPLIES 5

OtakarKlier
Cyber Elite
Cyber Elite

‎03-08-2018 02:46 PM

Hello,

This might help.

 

https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-data-center/data-cen...

 

Regards,

0 Likes Likes

jvarghese
L0 Member

‎10-11-2018 11:13 AM

Starting from PAN-OS 8.0 we have introduced the capability to select Ciphers for admin SSH connections. Run the following commands to disable weak Cipher Suits:

 

>configure
#delete deviceconfig system ssh

#set deviceconfig system ssh ciphers mgmt aes128-cbc
#set deviceconfig system ssh ciphers mgmt aes192-cbc
#set deviceconfig system ssh ciphers mgmt aes256-cbc
#set deviceconfig system ssh ciphers mgmt aes128-ctr
#set deviceconfig system ssh ciphers mgmt aes192-ctr
#set deviceconfig system ssh ciphers mgmt aes256-ctr
#set deviceconfig system ssh ciphers mgmt aes128-gcm
#set deviceconfig system ssh ciphers mgmt aes256-gcm

# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048
# set deviceconfig system ssh session-rekey mgmt interval 3600

# commit

Exit from config mode by typing 'exit'

> set ssh service-restart mgmt

louisbolanos
L0 Member
In response to jvarghese

‎10-12-2018 11:06 AM

Having tried the manual cipher configuration on PAN VMs it then renders SSH useless from the client side. The error seen then is:

"no hostkey alg"

0 Likes Likes

sarumughan
L2 Linker
In response to jvarghese

‎05-03-2019 10:25 AM

Is there any other solution to fix in  PANOS-7.1.14 with out upgarding to 8.x.x and running the mentioned command?

 

0 Likes Likes

cniwagaba
L0 Member

‎07-18-2019 11:29 PM

I found steps on the link below, I hope they will be helpful.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh...

0 Likes Likes
  • 58162 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks