Cannot modify sshd cipher list in FIPS mode
search cancel

Cannot modify sshd cipher list in FIPS mode

book

Article ID: 248643

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When attempting to modify the Messaging Gateway ssh server cipher list while running in FIPS mode an error is returned indicating "No such file or directory", a bad cipher spec has been entered, and the configuration is reverting to the last backup.

smg [10.7.5-4]>  sshd-config --ciphers 'blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr'
/opt/Symantec/Brightmail/cli/sbin/sshdver: line 37: dev/null: No such file or directory
Please be aware that the ciphers you have selected have not been validated
for being FIPS certified.  It is your responsibility to ensure that you
are not including a non-FIPS-certified cipher in your list.

Previous setting for Ciphers:
        blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
New setting for Ciphers:
        blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr

Do you wish to make this change? (yes/no) yes
/etc/ssh/sshd_config line 160: Bad SSH2 cipher spec 'blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr'.
sshd_config: Error:  new /etc/ssh/sshd_config fails validation.  Reverting to backup.

Environment

Release : 10.7.5

Component : CLI

Cause

This is a known defect when attempting to modify the sshd configuration while running in FIPS mode.

Resolution

This issue will be addressed in a future release.

Workaround

This issue only occurs when running in FIPS mode and the sshd configuration can be modified while running in standard / non-FIPS mode. To modify the sshd configuration first exit FIPS mode, modify the ssh daemon via the sshd-config command and then re-enable FIPS mode. The changes made in non-FIPS mode will be retained following the switch back to FIPS mode.

Example

  1. Disable FIPS mode 
    fipsmode off
  2. After the reboot, modify the ssh configuration 
    sshd-config --ciphers '[email protected],aes128-ctr,aes192-ctr,aes256-ctr'
  3. Enable FIPS mode 
    fipsmode on
Powered by Wolken Software