HMC – SSH Server CBC Mode Ciphers Enabled – SSH Weak MAC Algorithms Enabled issue

By
Emre Özkan
-
0
2246

information security department sent “SSH Server CBC Mode Ciphers Enabled” and “SSH Server CBC Mode Ciphers Enabled” issues on Hardware Management Console( HMC ) .How can I fix this?

First, you can learn current configuration below scripts.

hscroot@HMC-ODM:~> lshmcencr -c ssh -t c
"curr_encryptions=aes128-cbc,aes128-ctr,aes128-gcm@openssh.com,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,aes256-gcm@openssh.com,arcfour,arcfour128,arcfour256"
hscroot@HMC-ODM:~> lshmcencr -c sshmac -t c
"curr_encryptions=hmac-ripemd160,hmac-ripemd160-etm@openssh.com,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com"

I want to use “arcfour,arcfour128,arcfour256 cipher” and “hmac-sha1,umac-64@openssh.com,hmac-ripemd160” macs.So I deleted others currenct configurations.

Delete ciphers:

chhmcencr -c ssh -o r -e aes128-cbc
chhmcencr -c ssh -o r -e aes128-gcm@openssh.com
chhmcencr -c ssh -o r -e aes192-cbc
chhmcencr -c ssh -o r -e aes256-cbc
chhmcencr -c ssh -o r -e aes256-gcm@openssh.com
chhmcencr -c ssh -o r -e arcfour
chhmcencr -c ssh -o r -e arcfour128
chhmcencr -c ssh -o r -e arcfour256

After that:

hscroot@HMC-ODM:~> lshmcencr -c ssh -t c
"curr_encryptions=aes128-ctr,aes192-ctr,aes256-ctr"

chhmcencr -c sshmac -o r -e hmac-ripemd160-etm@openssh.com
chhmcencr -c sshmac -o r -e hmac-sha1-etm@openssh.com
chhmcencr -c sshmac -o r -e hmac-sha2-256
chhmcencr -c sshmac -o r -e hmac-sha2-256-etm@openssh.com
chhmcencr -c sshmac -o r -e hmac-sha2-512
chhmcencr -c sshmac -o r -e hmac-sha2-512-etm@openssh.com
chhmcencr -c sshmac -o r -e umac-128-etm@openssh.com
chhmcencr -c sshmac -o r -e umac-128@openssh.com
chhmcencr -c sshmac -o r -e umac-64-etm@openssh.com

Finally.Thanks OK!
hscroot@HMC-ODM:~> lshmcencr -c sshmac -t c
"curr_encryptions=hmac-ripemd160,hmac-sha1,umac-64@openssh.com"

After that you cannot connect your HMC because this command stop your ssh connectivity.So you should login your HMC and start your Remote Command Execution section on your HMC settings.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.