Add or Remove ciphers for ssh-console and ssh-client in EdgeSWG/ProxySG.
search cancel

Add or Remove ciphers for ssh-console and ssh-client in EdgeSWG/ProxySG.

book

Article ID: 281970

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Some ciphers supported by EdgeSWG may be weak or vulnerable. In such conditions, you may want to remove those ciphers from 'ssh-console' and 'ssh-client'.

Resolution

Depending on the version you are running, you may have different sets of supported ciphers in EdgeSWG. Newer versions may already have weak/vulnerable ciphers removed by default.

If you are running an older version and have a need to remove some ciphers from EdgeSWG, you can do so with the steps below. 

1. This is to remove the Ciphers accepted by ProxySG when someone tries to access ProxySG via SSH console (inbound SSH connections):

The link below includes commands to view/add/remove ciphers for SSH console.

View/Add/Remove 'ssh-console' ciphers.

Example:

ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.

ProxySG#(config)ssh-console

ProxySG#(config ssh-console)ciphers view
current:      [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
default:      [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
choices:      [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr,[email protected],arcfour256,arcfour128,arcfour,cast128-cbc,blowfish-cbc,aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc


# (config ssh-console) ciphers remove <cipher_name>

Removes an SSH cipher from the current list. The cipher_name must be one of the names listed under current in the ciphers view output

2. This is to remove the Ciphers used by ProxySG when it tries to access other devices (outbound SSH connections):

View/Add/Remove 'ssh-client' ciphers.

Example:

ProxySG#(config ssh-console)
ProxySG#(config ssh-console)exit
ProxySG#(config)ssh-client

ProxySG#(config ssh-client)ciphers

ProxySG#(config ssh-client ciphers)view
current:      [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
default:      [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
choices:      [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr,[email protected],arcfour256,arcfour128,arcfour,cast128-cbc,blowfish-cbc,aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc

ProxySG#(config ssh-client ciphers)exit

ProxySG#(config ssh-client)ciphers

ProxySG#(config ssh-client ciphers) remove <cipher_name>

Removes an SSH cipher from the current list. The cipher_name must be one of the names listed under current in the view output.

 

Powered by Wolken Software