In Messaging Gateway (SMG) 10.7.5 the --kexalgorithms option was added to the sshd-config CLI command to allow for changes to the key exchange algorithms used by the SMG ssh command line interface. This is to allow customers to address any security concerns regarding the key exchange algorithms allowed by SMG.
Usage: sshd-config (--list | --help)
sshd-config --add (allow|deny)
sshd-config --delete (allow|deny) <rule#>
sshd-config --view
sshd-config (--protocol | --ciphers | --macs | --kexalgorithms) <new_setting>
sshd-config --keygen <type> [ --bits <bits> ]
Options:
-h,--help Show more extensive help
-l,--list List current rules
-a,--add Add more allow/deny rules
-d,--delete Delete a rule by number
-v,--view Display ciphers/macs/kexalgorithm settings
-p,--protocol Set the allowed protocols (to <new_setting> )
-c,--ciphers Set the allowed ciphers (to <new_setting> )
-m,--macs Set the allowed message authentication codes (to <new_setting> )
-k,--kexalgorithms Set the allowed key exchange algorithms (to <new_setting> )
-y,--keygen Regenerate ssh key (of <type> )
-b,--bits specify the number of bits for a new key to be generated
<new_setting> may be 'default' to reset the attribute to the system default
allowed values for <type> are "dsa", "ecdsa", "ed25519", "rsa" and "rsa1"
The format of the new settings is the same as the sshd_config files's KexAlgorithms configuration i.e. a comma separated list of key exchange algorithms.
Example
smg [10.8.1-7]> sshd-config -v
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'default'.
Attribute 'clientaliveinterval' is set to 'default'.
smg [10.8.1-7] sshd-config -k diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Previous setting for KexAlgorithms:
default
New setting for KexAlgorithms:
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Do you wish to make this change? (yes/no) yes
Release : 10.7.5
Component : sshd-config
Changes made the the sshd configuration will restart the ssh service and disconnect any active ssh connections.
In the event of unexpected behavior or loss of ssh access to the SMG system, Broadcom Support does not provide any support regarding customer changes to the ssh daemon's configuration beyond the recommendation to return to the default configuration via the following command:
sshd-config --kexalgorithms default