How to remove SSH weak algorithms?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to remove SSH weak algorithms?

L3 Networker

An internal PCI vulnerability scan has revealed the following issues with the PAN-820 appliance:

1. SSH Weak Algorithms Supported: Tester has detected that the remote SSH server is configured to use the Arcfour stream. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Affects management interface 10.32.1.2:22 (tcp)
Also affects management interface of second PAN VM100 appliance.

2. SSL Medium Strength Cipher Suites Supported: The remote host supports the use of SSL ciphers that offer medium strength encryption. PCI Consulting Australia regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Affects management interface 10.32.1.2:443 (tcp)

Could you help me disable support for these ciphers?

===================================================

Found some article for them and ran these following commands 

>configure

#delete deviceconfig system ssh

#set deviceconfig system ssh ciphers mgmt aes128-cbc

#set deviceconfig system ssh ciphers mgmt aes192-cbc

#set deviceconfig system ssh ciphers mgmt aes256-cbc

#set deviceconfig system ssh ciphers mgmt aes128-ctr

#set deviceconfig system ssh ciphers mgmt aes192-ctr

#set deviceconfig system ssh ciphers mgmt aes256-ctr

#set deviceconfig system ssh ciphers mgmt aes128-gcm

#set deviceconfig system ssh ciphers mgmt aes256-gcm

# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048

# set deviceconfig system ssh session-rekey mgmt interval 3600

# commit

Exit from config mode by typing 'exit'

> set ssh service-restart mgmt

 

I ran these commands and it appeared to work, however shortly afterwards our VPN site to site tunnel dropped out. I connected to our PA-820 again, ran:

delete deviceconfig system ssh
commit
set ssh service-restart mgmt.

and after a few minutes the tunnel came back up.

 

Would running those commands have disabled a cipher suite used by this tunnel?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

those commands set the cipher suite for the entire platform,it masy have an impact on tunnels that depend on a certain suite that is dependent on ssh

 

to set the cipher suites only on the management interface, you can use a profile (This is for SSL)

 

# set shared ssl-tls-service-profile <profile name> protocol-settings 
+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version 
+ min-version            min-version 
  <Enter>                Finish input

and then set that in management

 

for SSH (as appropriately pointed out by @mivaldi ) the set of commands is 

 

> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
> set ssh service-restart mgmt
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

those commands set the cipher suite for the entire platform,it masy have an impact on tunnels that depend on a certain suite that is dependent on ssh

 

to set the cipher suites only on the management interface, you can use a profile (This is for SSL)

 

# set shared ssl-tls-service-profile <profile name> protocol-settings 
+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version 
+ min-version            min-version 
  <Enter>                Finish input

and then set that in management

 

for SSH (as appropriately pointed out by @mivaldi ) the set of commands is 

 

> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
> set ssh service-restart mgmt
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Does the palo alto device need rebooted to make the ssh changes take affect?

@reaper those commands are for SSL, not SSH.

 

I don't see a use case for opening an SSH tunnel to the firewall. The system reference means that it will apply to connections that are host-bound (meaning landing on the firewall on the management interface through either the management port or a data port if a management interface profiles enable SSH service on a data port).

 

For instructions restricting SSH weak ciphers please refer to:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG

@Laura_Strutzel you need to restart the ssh service

 

set ssh service-restart mgmt

For more information please refer to the above posted Knowledge Base article.

  • 1 accepted solution
  • 26207 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!