How to Disable Weak SSH Cipher/ MAC Algorithms in PICOS

Requirement

Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:
arcfour
arcfour128
arcfour256

Below are some of the Message Authentication Code (MAC) algorithms:
hmac-md5
hmac-md5-96
hmac-sha1-96


NOTE:

PICOS 3.1.0 and the later version use OpenSSH(?) version is 6.7p1 and following are default Ciphers:

    chacha20-poly1305@openssh.com,

    aes128-ctr,aes192-ctr,aes256-ctr,

    aes128-gcm@openssh.com,aes256-gcm@openssh.com

Description

Verify weak cipher and MAC algorithms are currently used by the SSH running in PICOS switch.

 

Perform following three steps:

1.    First check the cipher and MAC algorithms currently supported in the PICOS SSH protocol.

Check the version of SSH:

root@Xorplus:/etc/ssh# ssh -v

OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013

2.   Check what cipher and MAC algorithms are currently supported.

From another Linux Server run the following to list the cipher and MAC algorithms supported by PICOS, using the following command:
nmap --script ssh2-enum-algos -sV -p 22 <IP of PICOS switch>

Example output:

root@AutomationServer1 html]# nmap --script ssh2-enum-algos -sV -p 22 172.16.0.191

 

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-14 14:13 PDT

Nmap scan report for 172.16.0.191

Host is up (0.00079s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 6.0p1 (protocol 2.0)

| ssh2-enum-algos:

|   kex_algorithms (7)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|       diffie-hellman-group-exchange-sha256

|       diffie-hellman-group-exchange-sha1

|       diffie-hellman-group14-sha1

|       diffie-hellman-group1-sha1

|   server_host_key_algorithms (3)

|       ssh-rsa

|       ssh-dss

|       ecdsa-sha2-nistp256

|   encryption_algorithms (13)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       arcfour256

|       arcfour128

|       aes128-cbc

|       3des-cbc

|       blowfish-cbc

|       cast128-cbc

|       aes192-cbc

|       aes256-cbc

|       arcfour

|       rijndael-cbc@lysator.liu.se

|   mac_algorithms (11)

|       hmac-md5

|       hmac-sha1

|       umac-64@openssh.com

|       hmac-sha2-256

|       hmac-sha2-256-96

|       hmac-sha2-512

|       hmac-sha2-512-96

|       hmac-ripemd160

|       hmac-ripemd160@openssh.com

|       hmac-sha1-96

|       hmac-md5-96

3.    From the above output decide which cipher or MAC algorithm you want to disable. For example say you want to disable arcfour cipher algorithm.

Solution

Disable weak Cipher and MAC algorithms used by the SSH running in PICOS switch by performing the following three steps:

1.     Disable the weak Cipher and MAC algorithms used by the SSH running in PICOS switch as follows:

You could disable the Ciphers using the command below: 

# vi /etc/ssh/sshd_config

Press key 'i' to insert and copy the lines below to the end of the file (put only the cipher and MAC algorithms that needs to supported,  and not include the weaker cipher and Mac algorithms).

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc

Macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512

Save the file.

2.     On the PICOS switch restart SSH with the following Linux command:

/etc/init.d/ssh restart

3.     Verify whether weak Cipher and MAC algorithms are now not used by the SSH running in PICOS switch:


From another Linux Server run the following to list the cipher and MAC algorithms supported by PICOS, using the following command:
nmap --script ssh2-enum-algos -sV -p 22 <IP of PICOS switch>

You will see arcfour cipher algorithm is not used by SSH from the following output.

This would show the only the allowed cipher and MAC algorithms now. 


Example output:

root@AutomationServer1 html]# nmap --script ssh2-enum-algos -sV -p 22 172.16.0.191

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-14 14:35 PDT

Nmap scan report for 172.16.0.191

Host is up (0.00055s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 6.0p1 (protocol 2.0)

| ssh2-enum-algos:

|   kex_algorithms (7)

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|       diffie-hellman-group-exchange-sha256

|       diffie-hellman-group-exchange-sha1

|       diffie-hellman-group14-sha1

|       diffie-hellman-group1-sha1

|   server_host_key_algorithms (3)

|       ssh-rsa

|       ssh-dss

|       ecdsa-sha2-nistp256

|   encryption_algorithms (8)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-cbc

|       3des-cbc

|       blowfish-cbc

|       aes192-cbc

|       aes256-cbc

|   mac_algorithms (4)

|       hmac-sha1

|       umac-64@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

Copyright © 2025 Pica8 Inc. All Rights Reserved.