Skip to main content
Start a Conversation

Unsolved

C

Cathy_Jo

11 Posts

67

September 14th, 2023 13:50

SSH Weak Message Authentication Code Algorithms - N3248PXE-ON

I am having issues with securing the Dell N-Series switches we have on-site.  Security is telling me we are getting the above error on the vulnerability scans.

I have the following configured

no ip http secure-protocol TLS1.0 TLS 1.1

ip http secure-ciphersuite ecdhe-rsa-aes-gcm-sha2 rsa-aes-cbc-sha2

We are still seeing issues with

  • Insecure MAC algorithms in use: hmac-sha1,hmac-sha1-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5

How can I resolved this issue?

Dell -Charles R

Moderator

 • 

2.9K Posts

September 14th, 2023 18:27

Hello Cathy,

 

I will have to look into this.

 

Could you let us know the OS and firmware version you are on?

Cathy_Jo

11 Posts

September 18th, 2023 14:27

Good Morning @Dell -Charles R,

We are using OS6 and are currently on Firmware 6.8.1.3

Thanks for helping with this, as mentioned above security reports are still showing an error after putting in the above commands and there is a big push to get all vulnerabilities fixed.  Any help would be appreciated.

Cathy Jo

Dell -Charles R

Moderator

 • 

2.9K Posts

18-09-2023 14:59 PM

Hello Cathy,

 

On 6.8 or later, issue the following commands:

 

(config)#no ip ssh server algorithm mac hmac-sha1-etm@openssh.com

(config)#no ip ssh server algorithm mac hmac-sha1

 

Dell -Charles R

Social Media and Communities Professional

Dell Technologies | Enterprise Support Services

#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Thumbs up’ the posts you like!

Kevin Phillips

2 Posts

October 8th, 2023 23:42

@Dell -Charles R​ 

I have the same issue. I am just running a newer OS. OS10 does not seem to like these commands for removal of the sha1 algorithms. 

10.5.5.5 or 10.5.5.6

(edited)

DELL-Joey C

Moderator

 • 

2.8K Posts

09-10-2023 05:32 AM

Hi,

 

The command #no ip ssh server algorithm is for OS6, you might want to check command #no ip ssh server cipher 

DELL-Joey C

Social Media and Communities Professional

Dell Technologies | Enterprise Support Services

#IWork4Dell

Did I answer your query? Please click on ‘Mark as Accepted Answer’. ‘Thumbs up’ the posts you like!

Kevin Phillips

2 Posts

October 9th, 2023 13:31

@DELL-Joey C​ 

That just performs a reset to default. Not actually clearing the sha1 algorithms.

DELL-Joey C

Moderator

 • 

2.8K Posts

10-10-2023 03:21 AM

Hi,

 

That's right, it's to reset to default. 

 

If you want to set which MAC algorithms that you need or to remove, you can use: # ip ssh server mac. You can check your current SSH MAC algorithm with #show ip ssh, and set which is not needed. 

 

Example: 

S5248F-ON-1# show ip ssh
  Version:        PKIX-SSH 12.4.3
  based on:       OpenSSH_8.2p1
  using library:  OpenSSL 1.0.2zg-fips  7 Feb 2023

 

SSH Server:                   Enabled
--------------------------------------------------
SSH Server Ciphers:           chacha20-poly1305@openssh.com,aes128-ctr,
                              aes192-ctr,aes256-ctr,
                              aes128-gcm@openssh.com,aes256-gcm@openssh.com
SSH Server MACs:              umac-64-etm@openssh.com,umac-128-etm@openssh.com,
                              hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
                              hmac-sha1-etm@openssh.com,umac-64@openssh.com,
                              umac-128@openssh.com,hmac-sha2-256,
                              hmac-sha2-512,hmac-sha1

 

If you do not need SHA1:

 

S5248F-ON-1# configure terminal  

S5248F-ON-1(config)# ip ssh server mac hmac-sha2-256 hmac-sha2-512 umac-128@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com

S5248F-ON-1# show ip ssh
  Version:        PKIX-SSH 12.4.3
  based on:       OpenSSH_8.2p1
  using library:  OpenSSL 1.0.2zg-fips  7 Feb 2023

 

SSH Server:                   Enabled
--------------------------------------------------
SSH Server Ciphers:           chacha20-poly1305@openssh.com,aes128-ctr,
                              aes192-ctr,aes256-ctr,
                              aes128-gcm@openssh.com,aes256-gcm@openssh.com
SSH Server MACs:              hmac-sha2-256,hmac-sha2-512,
                              umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,
                              hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

 

This is just an example output I've obtain from one of L3 support.

DELL-Joey C

Social Media and Communities Professional

Dell Technologies | Enterprise Support Services

#IWork4Dell

Did I answer your query? Please click on ‘Mark as Accepted Answer’. ‘Thumbs up’ the posts you like!

View More

View More

View All

No Events found!

Top