SSH ciphers change

Hi,

the below is how to change the SSH cipher suites,

To modify MAC

        tmsh modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
        tmsh save sys config partitions all
        tmsh restart sys service sshd 

To modify ciphers

            tmsh modify sys sshd include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
            tmsh save sys config partitions all
            tmsh restart sys service sshd

In regards to HTTPS (GUI access), you'll have to modify the httpd (HTTP daemon) SSL ciphers. I also found one SOL article explaining it step by step: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13405.html

I'm not sure where to change the ciphers for SSH. I'll leave that for someone else.

In regards to HTTPS (GUI access), you'll have to modify the httpd (HTTP daemon) SSL ciphers. I also found one SOL article explaining it step by step: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13405.html

I'm not sure where to change the ciphers for SSH. I'll leave that for someone else.

Hi,

I have BIG-IP 11.6 and looks like that theese two commands (for MACs and ciphers) are mutually exclusive, for example, if I enter:

modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
save sys config partitions all
restart sys service sshd

Configuration of SSH deamon looks like:

    sys sshd {
        banner enabled
        banner-text "Any unauthorized access is strictly prohibited
    and will be prosecuted to the full extent of
    applicable local and international law.
    All access is monitored."
        inactivity-timeout 900
        include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
        log-level verbose
}

If after that I enter:

modify sys sshd include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
save sys config partitions all
restart sys service sshd

Configuration looks like:

sys sshd {
    banner enabled
    banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
    inactivity-timeout 900
    include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
    log-level verbose
}

How can I change ciphers and MACs together, because I need to disable CBC encryption anf MD5 and 96-bit MAC algorithms?

I tried, but situation is like I described before.

This commands are used to change dynamicly generated SSH daemon (/var/run/config/sshd_config).

For example, here is configuration of SSHD on TMOS:

sys sshd {
banner enabled
banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
inactivity-timeout 900
include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
log-level verbose
}

As you can see, MAC is modified and this can also bee seen in auto generated configuration (just part of it) of ssh daemon below:

 THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!


 $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

 Use the tmsh shell utility to make changes to the system configuration.
 For more information, see tmsh -a help sys sshd.

 KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

 The strategy used for options in the default sshd_config shipped with
 OpenSSH is to specify options with their default value where
 possible.
 F5 Note
 If a directive appears multiple times, its first instance will be used
 and subsequent instances will be silently ignored. The following options
 have been configured via 'tmsh sys sshd include' and will therefore take
 precedence over any conflicting setting that appear afterward. Conversely,
 certain directives are placed before 'include' section to prevent being
 overridden.
 MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
 F5 - end of options specified via 'tmsh sys sshd include'.

Port 22
Protocol 2,1
 Protocol 2
 AddressFamily inet6

 F5 - these are FIPS approved ciphers.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc


 It's best to leave this setting as it is and use "tmsh modify sshd allow".
 An even better idea is to make sure that your self-IPs do not allow traffic
 on port 22.This is the default, so installations are secure by default.
ListenAddress 0.0.0.0
ListenAddress ::

 HostKey for protocol version 1
HostKey /config/ssh/ssh_host_key
 HostKeys for protocol version 2
HostKey /config/ssh/ssh_host_rsa_key
HostKey /config/ssh/ssh_host_dsa_key

 Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768

 Logging
 obsoletes QuietMode and FascistLogging
SyslogFacility AUTH

As you can see, MACs are modified and default ciphers are used.

If after that we change ciphers, configuration looks like:

sys sshd {
banner enabled
banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
inactivity-timeout 900
include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
log-level verbose
}

And auto generated ssh daemon looks like:

 THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!


 $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

 Use the tmsh shell utility to make changes to the system configuration.
 For more information, see tmsh -a help sys sshd.

 KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 MACS hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

 The strategy used for options in the default sshd_config shipped with
 OpenSSH is to specify options with their default value where
 possible.
 F5 Note
 If a directive appears multiple times, its first instance will be used
 and subsequent instances will be silently ignored. The following options
 have been configured via 'tmsh sys sshd include' and will therefore take
 precedence over any conflicting setting that appear afterward. Conversely,
 certain directives are placed before 'include' section to prevent being
 overridden.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr
 F5 - end of options specified via 'tmsh sys sshd include'.

Port 22
Protocol 2,1
 Protocol 2
 AddressFamily inet6

 F5 - these are FIPS approved ciphers.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc


 It's best to leave this setting as it is and use "tmsh modify sshd allow".
 An even better idea is to make sure that your self-IPs do not allow traffic
 on port 22.This is the default, so installations are secure by default.
ListenAddress 0.0.0.0
ListenAddress ::

 HostKey for protocol version 1
HostKey /config/ssh/ssh_host_key
 HostKeys for protocol version 2
HostKey /config/ssh/ssh_host_rsa_key
HostKey /config/ssh/ssh_host_dsa_key

 Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768

 Logging
 obsoletes QuietMode and FascistLogging
SyslogFacility AUTH

A you can see, there is no configuration line for MACs, just for ciphers.

I opened support case and aolution is prety simple:

tmsh modify sys sshd include "
MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
Ciphers aes128-ctr,aes192-ctr,aes256-ctr"

It looks like it's working. 🙂

TMOS configuration of SSH after applying command:

sys sshd {
    banner enabled
    banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
    inactivity-timeout 900
    include "
MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
log-level verbose

}

I opened support case and engineer gave me a solution. It's pretty simple:

tmsh modify sys sshd include "
MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
Ciphers aes128-ctr,aes192-ctr,aes256-ctr"

It look's like it's working. 🙂

TMOS comnfiguration of SSH now look's like:

sys sshd {
    banner enabled
    banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
    inactivity-timeout 900
    include "
MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
    log-level verbose
}

Hi mate I am heaving same problem as you before. When I apply following command I got error. Can you please advise if I am applying it correctly.

tmsh modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com Ciphers aes128-ctr,aes192-ctr,aes256-ctr"

Thanks Syed

Did you c/p exactly as I wrote?

Ciphers have to be in separate line from MACs.

BR, Mate

Confirming changes have been applied to F5 mgmt/config interfaces:

Red Hat article https://access.redhat.com/solutions/420283 is related to this topic and provides some simple remote confirmation tests we all know and love via ssh client parameters.

1. verify remotely from SSH client ssh -vv -oMACs=hmac-md5 10.x.y.z . . .output snipped . . . no matching mac found: client hmac-md5 server hmac-sha1,hmac-ripemd160

    

2. verify remotely from SSH client ssh -vv -oCiphers=aes128-cbc 10.x.y.z . . .output snipped . . . no matching cipher found: client aes128-cbc server aes128-ctr,aes192-ctr,aes256-ctr