In Messaging Gateway (SMG) 10.7.5 the --kexalgorithms option was added to the sshd-config CLI command to allow for changes to the key exchange algorithms used by the SMG ssh command line interface. This is to allow customers to address any security concerns regarding the key exchange algorithms allowed by SMG.
Usage: sshd-config (--list | --help)
sshd-config --add (allow|deny)
sshd-config --delete (allow|deny) <rule#>
sshd-config --view
sshd-config (--protocol | --ciphers | --macs | --kexalgorithms) <new_setting>
sshd-config --keygen <type> [ --bits <bits> ]
Options:
-h,--help Show more extensive help
-l,--list List current rules
-a,--add Add more allow/deny rules
-d,--delete Delete a rule by number
-v,--view Display ciphers/macs/kexalgorithm settings
-p,--protocol Set the allowed protocols (to <new_setting> )
-c,--ciphers Set the allowed ciphers (to <new_setting> )
-m,--macs Set the allowed message authentication codes (to <new_setting> )
-k,--kexalgorithms Set the allowed key exchange algorithms (to <new_setting> )
-y,--keygen Regenerate ssh key (of <type> )
-b,--bits specify the number of bits for a new key to be generated
<new_setting> may be 'default' to reset the attribute to the system default
allowed values for <type> are "dsa", "ecdsa", "ed25519", "rsa" and "rsa1"
The format of the new settings is the same as the sshd_config files's KexAlgorithms configuration i.e. a comma separated list of key exchange algorithms.
NOTE: The 'sshd-config'
command does not display the OpenSSH version used by SMG.
Example
smg [10.8.1-7]> sshd-config -v
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'default'.
Attribute 'clientaliveinterval' is set to 'default'.
smg [10.8.1-7] sshd-config -k diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Previous setting for KexAlgorithms:
default
New setting for KexAlgorithms:
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Do you wish to make this change? (yes/no) yes
Release : 10.7.5
Component : sshd-config
Changes made the the sshd configuration will restart the ssh service and disconnect any active ssh connections.
In the event of unexpected behavior or loss of ssh access to the SMG system, Broadcom Support does not provide any support regarding customer changes to the ssh daemon's configuration beyond the recommendation to return to the default configuration via the following command:
sshd-config --kexalgorithms default
Usually when we try to check current ciphers/macs/kexalgorithm settings using "sshd-config -v" command, we see "default" value instead of a current list:
mail [10.8.1-7]> sshd-config --view
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to 'default'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'default'.
Attribute 'clientaliveinterval' is set to 'default'.
mail [10.8.1-7]>
In such case to find what is currently enabled we can use nmap command. nmap utility is supported on Linux and other Unix systems, on Windows and on Mac.
The following command can be used (running it from a remote node):
nmap --script ssh2-enum-algos -sV -p 22 <SMG host name or IP>
The result from a machine running SMG 10.8.1-7 (out-of-the-box):
-bash-4.2$ nmap --script ssh2-enum-algos -sV -p 22 smg.node.name
Starting Nmap 6.40 ( http://nmap.org ) at 2023-11-10 11:32 AEDT
Nmap scan report for 192.168.0.24
Host is up (-0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms (12)
| curve25519-sha256
| [email protected]
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms (4)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| encryption_algorithms (12)
| [email protected]
| aes128-ctr
| aes192-ctr
| aes256-ctr
| [email protected]
| [email protected]
| aes128-cbc
| aes192-cbc
| aes256-cbc
| blowfish-cbc
| cast128-cbc
| 3des-cbc
| mac_algorithms (2)
| hmac-sha2-256
| hmac-sha2-512
| compression_algorithms (2)
| none
|_ [email protected]
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
-bash-4.2$