01-07-2020 03:06 AM
Hi Peeps,
I got technical query regarding how to change SSH v1 to SSH v2 in PA firewall, Because one of our customer got an alert from VAPT tool like as follows,.
Description :-
KPMG test team observed that the Secure Shell protocol version 1 support was enabled on the tested devices.
Secure Shell is typically used as a cryptographically secure alternative to Telnet and other clear-text protocols. In addition to command-based access, Secure Shell services can enable the forwarding of network ports (such as X forwarding) or the transfer of files (such as Secure Copy or Secure File Transfer Protocol).
There are two main versions of the Secure Shell protocol, version 1 and 2. Version 2 was developed to both extend the functionality of the protocol and to enhance security. It is common for Secure Shell servers that support both versions of the protocol to be capable of being configured to support connections from clients using different versions of the protocol in order to maintain backward compatibility.
Severity :- Medium
CVE/CWE ID :- N/A
Impact :- Although flaws have been identified with Secure Shell protocol version 2, fundamental flaws exist in protocol version 1.
Recommendation :- It is recommended that the Secure Shell service should be reconfigured to only support version 2 of the protocol.
01-15-2020 11:03 AM
What version of PanOS are you running?
On 8.1.12, the only ciphers available are the ones listed above, there are no others available to choose from.
And , if I try to force my SSH client to connect using SSHv1, I get this:
Protocol major versions differ: 1 vs. 2
So, it looks like with 8.1 and higher, SSHv1 has been disabled completely.
01-07-2020 04:12 PM
I did some research, and if you are on 8.0 and higher, you should be able to configure these
configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm
Will these work for you?
01-07-2020 04:50 PM
@S.Cantwell wrote:I did some research, and if you are on 8.0 and higher, you should be able to configure these
configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm
Will these work for you?
Steve these are just the ciphers...not the version of the SSH protocol. In your investigation was there are way to actually configure the SSH version used? If not, I'm guessing the only way to accomplish this setting might be with putting the device into FIPS compliance mode.
01-07-2020 05:19 PM
These are the supported SSH v2 ciphers.
By configuring and allowing only these, then V1 will not work.
So there is no way to disable SSHv1 support, only configuring the FW to allow the stronger ones, if that makes sense.
According to research... when the scanner tested again, it passed without warning, which is what you are looking to do, I presume...get the warning to no longer show in a scan?
Steve
01-15-2020 11:03 AM
What version of PanOS are you running?
On 8.1.12, the only ciphers available are the ones listed above, there are no others available to choose from.
And , if I try to force my SSH client to connect using SSHv1, I get this:
Protocol major versions differ: 1 vs. 2
So, it looks like with 8.1 and higher, SSHv1 has been disabled completely.
03-03-2021 10:08 AM
I have been trying to find out in the release notes to see where SSH version 1 is disabled completely. Any pointers would be appreciate it.
03-03-2021 10:30 AM
I do not believe you will find that SSHv1 has been discontinued.
I think it is up to engineers to know and to deprecate SSH v1, to only allow the FW to communicate via SSH v2 ciphers.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
