Changing Messaging Gateway ssh key exchange algorithms
search cancel

Changing Messaging Gateway ssh key exchange algorithms

book

Article ID: 235239

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

In Messaging Gateway (SMG) 10.7.5 the --kexalgorithms option was added to the sshd-config CLI command to allow for changes to the key exchange algorithms used by the SMG ssh command line interface. This is to allow customers to address any security concerns regarding the key exchange algorithms allowed by SMG.

Usage: sshd-config (--list | --help)
       sshd-config --add (allow|deny)
       sshd-config --delete (allow|deny) <rule#>
       sshd-config --view
       sshd-config (--protocol | --ciphers | --macs | --kexalgorithms) <new_setting>
       sshd-config --keygen <type> [ --bits <bits> ]

Options:
    -h,--help      Show more extensive help
    -l,--list           List current rules
    -a,--add            Add more allow/deny rules
    -d,--delete         Delete a rule by number
    -v,--view           Display ciphers/macs/kexalgorithm settings
    -p,--protocol       Set the allowed protocols (to <new_setting> )
    -c,--ciphers        Set the allowed ciphers (to <new_setting> )
    -m,--macs           Set the allowed message authentication codes (to <new_setting> )
    -k,--kexalgorithms  Set the allowed key exchange algorithms (to <new_setting> )
    -y,--keygen         Regenerate ssh key (of <type> )
    -b,--bits           specify the number of bits for a new key to be generated

    <new_setting> may be 'default' to reset the attribute to the system default
    allowed values for <type> are "dsa", "ecdsa", "ed25519", "rsa" and "rsa1"

The format of the new settings is the same as the sshd_config files's KexAlgorithms configuration i.e. a comma separated list of key exchange algorithms.

Example

smg [10.8.1-7]> sshd-config -v
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'default'.
Attribute 'clientaliveinterval' is set to 'default'.

smg [10.8.1-7] sshd-config -k diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Previous setting for KexAlgorithms:
        default
New setting for KexAlgorithms:
        diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

Do you wish to make this change? (yes/no) yes

Environment

Release : 10.7.5

Component : sshd-config

Resolution

Changes made the the sshd configuration will restart the ssh service and disconnect any active ssh connections. 

In the event of unexpected behavior or loss of ssh access to the SMG system, Broadcom Support does not provide any support regarding customer changes to the ssh daemon's configuration beyond the recommendation to return to the default configuration via the following command:

sshd-config --kexalgorithms default