Power Global

How to mitigate below Vulnerability issue on AIX 7.3 

1 ) SHA1 deprecated setting for SSH
2) Deprecated SSH Cryptographic Settings

------------------------------
Elangovan Subramaniyan
------------------------------

Add 

MACs -"*sha1*"
KexAlgorithms -"*sha1*"
HostKeyAlgorithms -ssh-rsa
Ciphers -chacha20-poly1305@openssh.com 

to /etc/ssh/sshd_config

validate you have not made any mistakes with

sshd -t

restart sshd

lssrc -s sshd ; stopsrc -s sshd ; start -s sshd

------------------------------
Alexander Pettitt
------------------------------

Original Message:
Sent: Wed June 19, 2024 02:38 AM
From: Elangovan Subramaniyan
Subject: SHA1 deprecated Vulnerability issue in AIX 7.3

How to mitigate below Vulnerability issue on AIX 7.3 

1 ) SHA1 deprecated setting for SSH
2) Deprecated SSH Cryptographic Settings

------------------------------
Elangovan Subramaniyan
------------------------------

Alexander,

I find the idea of wildcarding ciphers to disable interesting. Where
did you get this list?

Thanks.

On Wed, Jun 19, 2024 at 11:57:54AM +0000, Alexander Pettitt via IBM TechXchange Community wrote:
> Add
>
>
> MACs -"*sha1*"
> KexAlgorithms -"*sha1*"
> HostKeyAlgorithms -ssh-rsa
> Ciphers -chacha20-poly1305@openssh.com
>
>
> to /etc/ssh/sshd_config
>
>
> validate you have not made any mistakes with
>
>
> sshd -t
>
>
> restart sshd
>
>
> lssrc -s sshd ; stopsrc -s sshd ; start -s sshd
>
>
> ------------------------------
> Alexander Pettitt
> ------------------------------
> -------------------------------------------
> Original Message:
> Sent: Wed June 19, 2024 02:38 AM
> From: Elangovan Subramaniyan
> Subject: SHA1 deprecated Vulnerability issue in AIX 7.3
>
>
> How to mitigate below Vulnerability issue on AIX 7.3
>
>
>
> 1 ) SHA1 deprecated setting for SSH
> 2) Deprecated SSH Cryptographic Settings
>
>
> ------------------------------
> Elangovan Subramaniyan
> ------------------------------
>
>
> Reply to Sender : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6799&MID=411882&SenderKey=d3e69c58-e33a-47f1-8774-01890e117038
>
> Reply to Discussion : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6799&MID=411882
>
>
>
> You are subscribed to "Power Global" as Russell.Adams@AdamsSystems.nl. To change your subscriptions, go to http://community.ibm.com/community/user/preferences?section=Subscriptions. To unsubscribe from this community discussion, go to http://community.ibm.com/HigherLogic/eGroups/Unsubscribe.aspx?UserKey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=e848454b-3e30-41a6-a89e-b7d4e9cabffc.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
https://adamssystems.nl/


Original Message:
Sent: 6/19/2024 7:58:00 AM
From: Alexander Pettitt
Subject: RE: SHA1 deprecated Vulnerability issue in AIX 7.3

Add 

MACs -"*sha1*"
KexAlgorithms -"*sha1*"
HostKeyAlgorithms -ssh-rsa
Ciphers -chacha20-poly1305@openssh.com 

to /etc/ssh/sshd_config

validate you have not made any mistakes with

sshd -t

restart sshd

lssrc -s sshd ; stopsrc -s sshd ; start -s sshd

------------------------------
Alexander Pettitt
------------------------------

Original Message:
Sent: Wed June 19, 2024 02:38 AM
From: Elangovan Subramaniyan
Subject: SHA1 deprecated Vulnerability issue in AIX 7.3

How to mitigate below Vulnerability issue on AIX 7.3 

1 ) SHA1 deprecated setting for SSH
2) Deprecated SSH Cryptographic Settings

------------------------------
Elangovan Subramaniyan
------------------------------

I copied it right out of /etc/ssh/sshd_config :) 

I created it from internet searches and then tested the offending methods to make sure they failed.

------------------------------
Alexander Pettitt
------------------------------

Original Message:
Sent: Wed June 19, 2024 10:58 AM
From: Russell Adams
Subject: SHA1 deprecated Vulnerability issue in AIX 7.3

Alexander,

I find the idea of wildcarding ciphers to disable interesting. Where
did you get this list?

Thanks.

On Wed, Jun 19, 2024 at 11:57:54AM +0000, Alexander Pettitt via IBM TechXchange Community wrote:
> Add
>
>
> MACs -"*sha1*"
> KexAlgorithms -"*sha1*"
> HostKeyAlgorithms -ssh-rsa
> Ciphers -chacha20-poly1305@openssh.com
>
>
> to /etc/ssh/sshd_config
>
>
> validate you have not made any mistakes with
>
>
> sshd -t
>
>
> restart sshd
>
>
> lssrc -s sshd ; stopsrc -s sshd ; start -s sshd
>
>
> ------------------------------
> Alexander Pettitt
> ------------------------------
> -------------------------------------------
> Original Message:
> Sent: Wed June 19, 2024 02:38 AM
> From: Elangovan Subramaniyan
> Subject: SHA1 deprecated Vulnerability issue in AIX 7.3
>
>
> How to mitigate below Vulnerability issue on AIX 7.3
>
>
>
> 1 ) SHA1 deprecated setting for SSH
> 2) Deprecated SSH Cryptographic Settings
>
>
> ------------------------------
> Elangovan Subramaniyan
> ------------------------------
>
>
> Reply to Sender : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6799&MID=411882&SenderKey=d3e69c58-e33a-47f1-8774-01890e117038
>
> Reply to Discussion : https://community.ibm.com/community/user/eGroups/PostReply?GroupId=6799&MID=411882
>
>
>
> You are subscribed to "Power Global" as Russell.Adams@AdamsSystems.nl. To change your subscriptions, go to http://community.ibm.com/community/user/preferences?section=Subscriptions. To unsubscribe from this community discussion, go to http://community.ibm.com/HigherLogic/eGroups/Unsubscribe.aspx?UserKey=c23dfccc-9910-40ae-beeb-fdcbced5bf1f&sKey=KeyRemoved&GroupKey=e848454b-3e30-41a6-a89e-b7d4e9cabffc.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
https://adamssystems.nl/


Original Message:
Sent: 6/19/2024 7:58:00 AM
From: Alexander Pettitt
Subject: RE: SHA1 deprecated Vulnerability issue in AIX 7.3

Add 

MACs -"*sha1*"
KexAlgorithms -"*sha1*"
HostKeyAlgorithms -ssh-rsa
Ciphers -chacha20-poly1305@openssh.com 

to /etc/ssh/sshd_config

validate you have not made any mistakes with

sshd -t

restart sshd

lssrc -s sshd ; stopsrc -s sshd ; start -s sshd

------------------------------
Alexander Pettitt

Original Message:
Sent: Wed June 19, 2024 02:38 AM
From: Elangovan Subramaniyan
Subject: SHA1 deprecated Vulnerability issue in AIX 7.3

How to mitigate below Vulnerability issue on AIX 7.3 

1 ) SHA1 deprecated setting for SSH
2) Deprecated SSH Cryptographic Settings

------------------------------
Elangovan Subramaniyan
------------------------------