How to Disable Weak SSH Cipher/ MAC Algorithms in PICOS
Requirement
Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:
arcfour
arcfour128
arcfour256
Below are some of the Message Authentication Code (MAC) algorithms:
hmac-md5
hmac-md5-96
hmac-sha1-96
NOTE:
PICOS 3.1.0 and the later version use OpenSSH(?) version is 6.7p1 and following are default Ciphers:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com
Description
Verify weak cipher and MAC algorithms are currently used by the SSH running in PICOS switch.
Perform following three steps:
1. First check the cipher and MAC algorithms currently supported in the PICOS SSH protocol.
Check the version of SSH:
root@Xorplus:/etc/ssh# ssh -v OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
2. Check what cipher and MAC algorithms are currently supported.
From another Linux Server run the following to list the cipher and MAC algorithms supported by PICOS, using the following command:
nmap --script ssh2-enum-algos -sV -p 22 <IP of PICOS switch>
Example output:
root@AutomationServer1 html]# nmap --script ssh2-enum-algos -sV -p 22 172.16.0.191 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-14 14:13 PDT Nmap scan report for 172.16.0.191 Host is up (0.00079s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms (7) | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms (3) | ssh-rsa | ssh-dss | ecdsa-sha2-nistp256 | encryption_algorithms (13) | aes128-ctr | aes192-ctr | aes256-ctr | arcfour256 | arcfour128 | aes128-cbc | 3des-cbc | blowfish-cbc | cast128-cbc | aes192-cbc | aes256-cbc | arcfour | rijndael-cbc@lysator.liu.se | mac_algorithms (11) | hmac-md5 | hmac-sha1 | umac-64@openssh.com | hmac-sha2-256 | hmac-sha2-256-96 | hmac-sha2-512 | hmac-sha2-512-96 | hmac-ripemd160 | hmac-ripemd160@openssh.com | hmac-sha1-96 | hmac-md5-96
3. From the above output decide which cipher or MAC algorithm you want to disable. For example say you want to disable arcfour cipher algorithm.
Solution
Disable weak Cipher and MAC algorithms used by the SSH running in PICOS switch by performing the following three steps:
1. Disable the weak Cipher and MAC algorithms used by the SSH running in PICOS switch as follows:
You could disable the Ciphers using the command below:
# vi /etc/ssh/sshd_config Press key 'i' to insert and copy the lines below to the end of the file (put only the cipher and MAC algorithms that needs to supported, and not include the weaker cipher and Mac algorithms). Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc Macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512
Save the file.
2. On the PICOS switch restart SSH with the following Linux command:
/etc/init.d/ssh restart
3. Verify whether weak Cipher and MAC algorithms are now not used by the SSH running in PICOS switch:
From another Linux Server run the following to list the cipher and MAC algorithms supported by PICOS, using the following command:
nmap --script ssh2-enum-algos -sV -p 22 <IP of PICOS switch>
You will see arcfour cipher algorithm is not used by SSH from the following output.
This would show the only the allowed cipher and MAC algorithms now.
Example output:
root@AutomationServer1 html]# nmap --script ssh2-enum-algos -sV -p 22 172.16.0.191 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-14 14:35 PDT Nmap scan report for 172.16.0.191 Host is up (0.00055s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms (7) | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms (3) | ssh-rsa | ssh-dss | ecdsa-sha2-nistp256 | encryption_algorithms (8) | aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | blowfish-cbc | aes192-cbc | aes256-cbc | mac_algorithms (4) | hmac-sha1 | umac-64@openssh.com | hmac-sha2-256 | hmac-sha2-512
Copyright © 2025 Pica8 Inc. All Rights Reserved.