Changing Messaging Gateway ssh key exchange algorithms
search cancel

Changing Messaging Gateway ssh key exchange algorithms

book

Article ID: 235239

calendar_today

Updated On: 11-22-2024

Products

Messaging Gateway

Issue/Introduction

In Messaging Gateway (SMG) 10.7.5 the --kexalgorithms option was added to the sshd-config CLI command to allow for changes to the key exchange algorithms used by the SMG ssh command line interface. This is to allow customers to address any security concerns regarding the key exchange algorithms allowed by SMG.

Usage: sshd-config (--list | --help)
       sshd-config --add (allow|deny)
       sshd-config --delete (allow|deny) <rule#>
       sshd-config --view
       sshd-config (--protocol | --ciphers | --macs | --kexalgorithms) <new_setting>
       sshd-config --keygen <type> [ --bits <bits> ]

Options:
    -h,--help      Show more extensive help
    -l,--list           List current rules
    -a,--add            Add more allow/deny rules
    -d,--delete         Delete a rule by number
    -v,--view           Display ciphers/macs/kexalgorithm settings
    -p,--protocol       Set the allowed protocols (to <new_setting> )
    -c,--ciphers        Set the allowed ciphers (to <new_setting> )
    -m,--macs           Set the allowed message authentication codes (to <new_setting> )
    -k,--kexalgorithms  Set the allowed key exchange algorithms (to <new_setting> )
    -y,--keygen         Regenerate ssh key (of <type> )
    -b,--bits           specify the number of bits for a new key to be generated

    <new_setting> may be 'default' to reset the attribute to the system default
    allowed values for <type> are "dsa", "ecdsa", "ed25519", "rsa" and "rsa1"

The format of the new settings is the same as the sshd_config files's KexAlgorithms configuration i.e. a comma separated list of key exchange algorithms.

NOTE: The 'sshd-config' command does not display the OpenSSH version used by SMG.

Example

smg [10.8.1-7]> sshd-config -v
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'default'.
Attribute 'clientaliveinterval' is set to 'default'.

smg [10.8.1-7] sshd-config -k diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Previous setting for KexAlgorithms: 
        default
New setting for KexAlgorithms:
        diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

Do you wish to make this change? (yes/no) yes

Environment

Release : 10.7.5

Component : sshd-config

Resolution

Changes made the the sshd configuration will restart the ssh service and disconnect any active ssh connections. 

In the event of unexpected behavior or loss of ssh access to the SMG system, Broadcom Support does not provide any support regarding customer changes to the ssh daemon's configuration beyond the recommendation to return to the default configuration via the following command:

sshd-config --kexalgorithms default

Additional Information

Usually when we try to check current ciphers/macs/kexalgorithm settings using "sshd-config -v" command, we see "default" value instead of a current list:

mail [10.8.1-7]> sshd-config --view
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to 'default'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'default'.
Attribute 'clientaliveinterval' is set to 'default'.
mail [10.8.1-7]>

Default kexalgorithms

'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'

Using nmap to validate key exchange values

To confirm what is currently enabled for key exchange, one can use nmap command. nmap utility is supported on Linux and other Unix systems, on Windows and on Mac.
The following command can be used (running it from a remote node):

nmap --script ssh2-enum-algos -sV -p 22 <SMG host name or IP>

The result from a machine running SMG 10.8.1-7 (out-of-the-box):

-bash-4.2$ nmap --script ssh2-enum-algos -sV -p 22 smg.node.name

Starting Nmap 6.40 ( http://nmap.org ) at 2023-11-10 11:32 AEDT
Nmap scan report for 192.168.0.24
Host is up (-0.17s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms (12)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms (4)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|   encryption_algorithms (12)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|       aes128-cbc
|       aes192-cbc
|       aes256-cbc
|       blowfish-cbc
|       cast128-cbc
|       3des-cbc
|   mac_algorithms (2)
|       hmac-sha2-256
|       hmac-sha2-512
|   compression_algorithms (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
-bash-4.2$
Powered by Wolken Software