Securing SSH2 daemon on XOS 15.6.1.4 - disable MD5 or 96-bit MAC algorithms

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Hi,
our security team is reported that XOS sshd is using either MD5 or 96-bit MAC algorithms, which are considered weak. Is there any way to configure the MAC algorithm which is used by SSH daemon on XOS? Our devices are (x670/440).
Photo of Zsolt Babindai

Zsolt Babindai

  • 150 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Thomas, Ken

Thomas, Ken, Alum

  • 4,368 Points 4k badge 2x thumb
Zsot, I have reached to some of the GTAC engineers who should be able to help shed some light on your question
Photo of Zsolt Babindai

Zsolt Babindai

  • 150 Points 100 badge 2x thumb
Thanks, I'm looking forward to getting some useful info.
Photo of Zsolt Babindai

Zsolt Babindai

  • 150 Points 100 badge 2x thumb
Any news?
Photo of Colatuno, Joe

Colatuno, Joe, Escalation Support Engineer

  • 1,096 Points 1k badge 2x thumb
Hey Zsot,

Current EXOS SSH implementation is based off SSH Secure Shell Toolkit? version 4.1.2. 

16.2 SSH code will move from the Toolkit to OpenSSH 6.5p1 which will address these algorithm vulnerabilities

Currently roadmap for 16.2 release is looking like December.  I see no plans to have this implemented in earlier software versions unfortunately.
Photo of Thomas, Ken

Thomas, Ken, Alum

  • 4,368 Points 4k badge 2x thumb
Zsot, let us know if this answers your question or if you have any follow up questions
Photo of Zsolt Babindai

Zsolt Babindai

  • 150 Points 100 badge 2x thumb
Hi, sorry I was out of office for some days and just returned. Thank you very much for your answer, this is enough for me. We will upgrade to 16.2 when it will be available.
Photo of Chad Smith

Chad Smith, Alum

  • 5,660 Points 5k badge 2x thumb
Zsolt,

It looks like the SSH Server upgrade may not make it into EXOS 16.2.  It seems it is currently scoped for 16.3.

Also, I have created a GTACKnowledge article for future reference: Is there any way to configure the MAC algorithm which is used by the SSH daemon in EXOS?