For more details, please see ourCookie Policy.


Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 19
Registered: ‎02-28-2018

The remote SSH server is configured to allow weak encryption algorithms.

Hi Forum Members,

 

we have a 2005-R04 (Brocade 7500 extension ) switch,

 

Kernel: 2.6.14.2
Fabric OS: v6.4.3h
Made on: Wed Sep 30 20:53:24 2015
Flash: Thu Apr 5 12:26:12 2018
BootProm: 4.6.6

 

which is quite old, and became EOL/EOS for a while. There is a technical refreshment project running to replace them, but till than I have to remediate as much vulnerabilities as I can.

 

I got the below result from a scanner, that advise me to remove week cipher from ssh config.

My question would be is it possible to manually cahnge these kind of settings, or the most common way is to do that with FOS upgrade?

 

The finding & possible fix:

 

Solution -

/etc/ssh/sshd_config file

Find the Ciphers line (if it exists), and remove arcfour from the line.
If there is no Ciphers line, please add the following line above the MACs line

Steps -

Add the below 2 lines in the /etc/ssh/sshd_config file

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
#MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

 

I logged in to the switch with root, and checked the menioned /etc/ssh/sshd_config file but there wasn't anything related to ciphers.

 

Any idea would be appreciated.

 

Regards, Tamas.

Broadcom Moderator
Posts: 102
Registered: ‎03-29-2010

Re: The remote SSH server is configured to allow weak encryption algorithms.

This is an area where mistakes can make your switch more, and not less vulnerable to TCP/IP attacks, so it would be better to consult with an expert in IP vulnerabilities than a fiber channel forum. The config file for your switch used the arcfour(RC4) default ciphers at the time of its build. Since then, there have been vulnerabilities discovered in the earlier, weaker arcfour ciphers, and an upgrade is a good idea for this old FOS release. 

 

I will stop short of advising you to make edits to your /etc/sshd_config file because again, I don't think that giving security advice on a public forum is wise - that's just me. However, the listed ciphers in that recommendation do appear to be the correct one's. If you make the change to the /etc/sshd_config file, you will need to stop and restart the ssh service for the change to take effect. 

doc

Any and all information provided by me is for entertainment value and should not be relied upon as a guaranteed solution or warranty of mechantability. All systems and all networks are different and unique. If you have a concern about data loss, or network disconnection, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, Please mark it with the button at the bottom "Accept as solution".

Occasional Contributor
Posts: 19
Registered: ‎02-28-2018

Re: The remote SSH server is configured to allow weak encryption algorithms.

Hi doc,

 

thank you for your reply. I agree with you, and tryings to fix this vulnerability issue could cause biger problems, eg. lock out ourselves from ssh communication. 

 

FOS upgrade would be the easiest way, but sadly this 6.4.3h is the latest based on one of my previous question: 2005-R18 with fw lv 6.4.3g

 

Switch replacement project is on it's way, so that will solve our headache, but I just wanted to make sure if it's possible to manually remediate the vulnerability or not.

 

The problem is, I can't find anything in connection with ciphers in the sshd_config file. An other strange thing is that we have two same type/FOS switches within a fabric, and only one of them was catched by a scanner. Compared the content of the /etc/sshd_config file on switches, but no missmatches were found. I don't get why....

 

Regards, Tamás

 

 

Broadcom Moderator
Posts: 102
Registered: ‎03-29-2010

Re: The remote SSH server is configured to allow weak encryption algorithms.

The 'upgrade' I was referring to is for the latest set of ciphers, and not the FOS. I'm aware the 7500 is limited to that FOS level. Take a look in the /etc/ssh/ssh_config (we are the client). See what you find in there.

doc

Any and all information provided by me is for entertainment value and should not be relied upon as a guaranteed solution or warranty of mechantability. All systems and all networks are different and unique. If you have a concern about data loss, or network disconnection, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, Please mark it with the button at the bottom "Accept as solution".

Occasional Contributor
Posts: 19
Registered: ‎02-28-2018

Re: The remote SSH server is configured to allow weak encryption algorithms.

Hi Doc,

 

thank you for your thought. Let me paste the ssh_config file outpout from  /etc. I think no sensitive information is in it:

 

# This is ssh client systemwide configuration file. This file provides
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
# ForwardAgent yes
# ForwardX11 yes
# RhostsAuthentication yes
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# TISAuthentication no
# PasswordAuthentication yes
# FallBackToRsh yes
# UseRsh no
# BatchMode no
# StrictHostKeyChecking no
# IdentityFile ~/.ssh/identity
# Port 22
# Cipher idea
# EscapeChar ~

 

 

all the lines are commented, and only one line refering to ciphers.

 

Any idea? Regards, Tamas.

Broadcom Moderator
Posts: 467
Registered: ‎03-29-2011

Re: The remote SSH server is configured to allow weak encryption algorithms.

Hi tbene,

 

the standard/default configuration (compiled in) is not in the /etc/sshd_config - you can get it displayed by connecting to the switch with 'ssh -vvv admin@switch-ip' and we would see 

 

OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.172.34 [192.168.172.34] port 22.
debug1: Connection established.

...

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfou r,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfou r,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

 

 

You could then but the update 'mac ...' and 'ciphers ...' to /etc/sshd_config on the switch as root

 

SW5000_2:root> cd /etc

SW5000_2:root> echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >>sshd_config
SW5000_2:root> echo "MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160" >>sshd_config

 

restart the sshd

 

SW5000_2:root> sh /etc/init.d/sshd stop
SW5000_2:root> sh /etc/init.d/sshd start

We also need to copy over the sshd_config file to the other partition (and for a directors to the other CP..)

 

SW5000_2:root>  cp /etc/sshd_config /mnt/etc/sshd_config

 

And then re-run the 'ssh -vvv admin@switch-ip' and we see

 

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-ripemd160
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-ripemd160

 

Of course, you better have a serial connnection available if you want to try this. This is not officially supported, the above is just an example. And any upgrade will of course wipe your changes away 

 

kind regards,

 

-martin

 




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
Occasional Contributor
Posts: 19
Registered: ‎02-28-2018

Re: The remote SSH server is configured to allow weak encryption algorithms.

Hi Martin,

 

thank you so much for the hint and the detailed description, worth a try since the hardware change is still in project status. We just wonder what if we enable telnet on the switch only that time when we add the ciphers, not to lock out ourselves from the switch. Serial connection is not an option for us, because we support the SAN remotely.

 

Regards, Tamas.

 

 

Join the Broadcom Community

Get quick and easy access to valuable resources across the Broadcom Community Network.