IBM i Global

IBM i 

A space for professionals working with IBM’s integrated OS for Power systems to exchange ideas, ask questions, and share expertise on topics like RPG and COBOL development, application modernization, open source integration, system administration, and business continuity.


#Power


#IBMi
 View Only

  • 1.  Weak ciphers and macs

    Posted yesterday

    I need to disable weak ciphers and macs algorithm for ssh on IBMi systems. 

    I have edited /qopensys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config

    Added the following: 

    MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org                                                  
    KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521                                        
    KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

    Restarted the ssh server using - strTCPSVR SERVER(*SSHD) 

    I test it using - ssh -vvv -0 MACs=hmac-sha1 <user@systems.name>

    It is still accepting the macs defined here.  

    How can I disables weak ciphers, MACs and KEX algorithm.

    Thanks 



    ------------------------------
    Sarvan Veluppillai
    ------------------------------


  • 2.  RE: Weak ciphers and macs

    Posted 23 hours ago
    Edited by Satid S 23 hours ago

    Dear Sarvan

    Have you tried changing QSSLCSLCTL system value to special value *USRDFN and then editing the system value QSSLCSL to remove the weak suites.   Since you did not specify which IBM i release, you can consult this IBM Technote for details: Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Protocols and Cipher Suites at  https://www.ibm.com/support/pages/configuring-your-ibm-i-system-secure-sockets-layer-ssltransport-layer-security-tls-protocols-and-cipher-suites.          



    ------------------------------
    Satid S
    ------------------------------

    Original Message


  • 3.  RE: Weak ciphers and macs

    Posted 21 hours ago

    Don't repeat the same keyword on multiple lines in the sshd_config file; only the last one is used.

    You have three KexAlgorithms lines – only the last will be effective.

    Put everything on one line:

     

    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

    MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

     

    I saw another port about the QSSL* system values.  No expert here, but I don't believe they have any effect on OpenSSH.  They are only related to the TLS cipher suites that apply to the IBM servers like FTP, Telnet, HTTP, etc.

     

     

    Scott A. Schollenberger

     




    Original Message


Related Content