Disable weak ciphers on NSX Manager
Article ID: 323554
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- Security scanner has determined that a weak cipher is in used.
- Flagged cipher is ssh-rsa or another sha1 based cipher.
Environment
VMware NSX-T Data Center
Resolution
This issue will be fixed in future product release.
Workaround:
The following workaround is to be applied on every NSX appliance:
1. SSH to the appliance as "root".
2. Create a copy of sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
3. In section "# Cipher and MAC algorithms", use vi, or vim editor to edit the content as shown below:
Before change:
grep "Cipher and MAC" -A3 /etc/ssh/sshd_config-bak
# Cipher and MAC algorithms
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512
KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-ssha512,diffie-hellman-group14-sha256
After change:
grep "Cipher and MAC" -A3 /etc/ssh/sshd_config
# Cipher and MAC algorithms
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5214. Get appliance os version from /etc/os-release file.
If appliance os is ubuntu 18.04 then add below line (hostkeyalgorithms option) at the end of sshd_config file -
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521If appliance os is ubuntu 20 or greater then add below line (hostkeyalgorithms option) at the end of sshd_config file -
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]Add below 'hostkey' options for all ubuntu OS at the end of sshd_config file -
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key5. Restart sshd service:
# service sshd restart
6. Review available cipheres:
# sshd -T | egrep -i 'cipher|kexalgorithms|Macs|hostkey'
Note: If your SSH client (e.g. PuTTY) throws error similar to:
"Couldn't agree a client-to-server cipher (available: [email protected],[email protected])"
Please update your SSH client/PuTTY to the latest available version (e.g. client supporting the ciphers available on NSX appliances).
Additional Information
Impact/Risks:
Security scanner may flag this as security vulnerability.
Security scanner may flag this as security vulnerability.
Feedback
Yes
No
Powered by
