Hi All
Is any one know how to diable CBC mode cipher encryption along with MD5 & 96 bit MAC algorithm in solaris 10.
Regards
You want to stop encryption.
What exactly is being encrypted that causes a problem?
We need to see what is causing the problem, not what you believe will fix it. Please help us to help you.
Dear Jim
Thanks for the showing interest in resolving my issue actually I cannot login into this server due to some restriction but I need to provide the solution to disable it. This is recommeded by audit team, please find below link
These are related to security issue. I am not able to find anything exactly related to disabling these for Solaris . Further I am able to find out only one solution on IBM/HPE site. I hope these will help you in finding the exact answer from Solaris point of view.
FAQ: How do I disable Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH in IBM PureData System for Operational Analytics - dWAnswers
Solved: Disable CBC mode cipher encryption , MD5 and 96-bi... - Hewlett Packard Enterprise Community
what version of Solaris has this issue? If you patched the system regularly this this was resolved in 2009.
These patches fix the problem:
Sparc:
Solaris 9 without patch 122300-38
Solaris 10 without patch 140774-02
x86 Platform:
Solaris 9 without patch 122301-38
Solaris 10 without patch 140775-02
If you have Oracle support contact them for help. You will have to have support anyway to get access to any patches. I do not think V9 patches are available anymore - maybe someone else knows more about v9 patches. At any rate the correct way to fix these issues is with a patch.
If I understand correctly:
You do not want to disable encryption. Period. Unless a misguided auditor tells you to do this in writing. You could be out of a job quickly.
Here is why: ssh may not talk to any other ssh client or server. The sshd.conf file specifies what encryption you use - the default for Solaris 10 was AES128, IRRC, for example.
So what Solaris version do you have, please show the output of:
uname -a
cat /etc/release
Thanks Jim
Well I logged this issue here because I wanted to know if someone has already gone
through this issue & looking forward to disable specific CBC-mode ciphers only where have issues as I new that disabling all the CBC mode cipher might bring unpredictable results. So now finally even I have decided to go for higher version patch need to be installed for this issue to be resolved.
As far as Disabling 96-bit HMAC And MD5-based HMAC Algorithms are concern, I recently find the solution which is by adding "MACs hmac-sha1" to /etc/ssh/sshd_config & then restart the SSH service. & I believe , there is no patching required in this case.
MAC defaults are mention in man page of sshd_config