*Urgent* SSH Protocol Version 1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

*Urgent* SSH Protocol Version 1

L3 Networker

Hi Peeps,

I got technical query regarding how to change SSH v1 to SSH v2 in PA firewall, Because one of our customer got an alert from VAPT tool like as follows,.

 

 

Description :- 

 

KPMG test team observed that the Secure Shell protocol version 1 support was enabled on the tested devices.

Secure Shell is typically used as a cryptographically secure alternative to Telnet and other clear-text protocols. In addition to command-based access, Secure Shell services can enable the forwarding of network ports (such as X forwarding) or the transfer of files (such as Secure Copy or Secure File Transfer Protocol).

There are two main versions of the Secure Shell protocol, version 1 and 2. Version 2 was developed to both extend the functionality of the protocol and to enhance security. It is common for Secure Shell servers that support both versions of the protocol to be capable of being configured to support connections from clients using different versions of the protocol in order to maintain backward compatibility.

 

Severity :- Medium

 

CVE/CWE ID :-  N/A

 

Impact :- Although flaws have been identified with Secure Shell protocol version 2, fundamental flaws exist in protocol version 1.

Recommendation :- It is recommended that the Secure Shell service should be reconfigured to only support version 2 of the protocol.

 

 

 

 

Thanks & Regards,
Sahithyan S
1 accepted solution

Accepted Solutions

What version of PanOS are you running?

 

On 8.1.12, the only ciphers available are the ones listed above, there are no others available to choose from.

 

And , if I try to force my SSH client to connect using SSHv1, I get this:

Protocol major versions differ: 1 vs. 2

 

So, it looks like with 8.1 and higher, SSHv1 has been disabled completely.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

I did some research, and if you are on 8.0 and higher, you should be able to configure these

 

configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm

 

Will these work for you?

Help the community: Like helpful comments and mark solutions


@SCantwell_IM wrote:

I did some research, and if you are on 8.0 and higher, you should be able to configure these

 

configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm

 

Will these work for you?


 

Steve these are just the ciphers...not the version of the SSH protocol.  In your investigation was there are way to actually configure the SSH version used?  If not, I'm guessing the only way to accomplish this setting might be with putting the device into FIPS compliance mode.

These are the supported SSH v2 ciphers.

By configuring and allowing only these, then V1 will not work.

 

So there is no way to disable SSHv1 support, only configuring the FW to allow the stronger ones, if that makes sense.

 

According to research... when the scanner tested again, it passed without warning, which is what you are looking to do, I presume...get the warning to no longer show in a scan?

 

Steve

Help the community: Like helpful comments and mark solutions

What version of PanOS are you running?

 

On 8.1.12, the only ciphers available are the ones listed above, there are no others available to choose from.

 

And , if I try to force my SSH client to connect using SSHv1, I get this:

Protocol major versions differ: 1 vs. 2

 

So, it looks like with 8.1 and higher, SSHv1 has been disabled completely.

I have been trying to find out in the release notes to see where SSH version 1 is disabled completely. Any pointers would be appreciate it. 

@Ram_Bista 

 

I do not believe you will find that SSHv1 has been discontinued. 

I think it is up to engineers to know and to deprecate SSH v1, to only allow the FW to communicate via SSH v2 ciphers.

 

Thanks

Help the community: Like helpful comments and mark solutions
  • 1 accepted solution
  • 11402 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!