Connectrix B-Series: Seccryptocfg may Not Properly Update SSHD Configuration if Multiple SSH Parameters are Changed Simultaneously

Summary: This article provides a workaround when "Seccryptocfg" does not properly update the SSHD configuration.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

When a user runs seccryptocfg to change multiple SSH parameters (cipher, kex, mac) in the same command, the SSHD configuration may not be updated correctly, or the SSHD process may not restart. The output of the seccryptocfg command may show that SSH is configured as wanted, but the displayed configuration may not be effective.

After changing SSH parameters, seccryptocfg may show SSH configured differently than what the running SSHD configuration is.

This is typically seen when updating SSH parameters to resolve reported security scan vulnerabilities. After a user disables the vulnerable items, and they are no longer displayed in the output of the seccryptocfg command, the security scans may continue to report them since the SSHD process was not updated correctly.

Cause

The seccryptocfg command try to restart SSHD process after each change of an SSH parameter (cipher, kex, mac), and when multiple parameters are configured in the same command, the user SSH session may be terminated before all SSH parameters have been updated in the underlying configuration files or the SSH session may terminate before SSHD restarts.

Affected Software Release: v8.2.2c and earlier

Resolution

Work Around:

There are a couple of available workarounds:

  • When using seccryptocfg to update SSH parameters, only change one parameter at a time.

    For example, the following command updates both the 'cipher' and 'kex' parameters in the same command, and may encounter this issue:

    seccryptocfg --replace -type SSH -cipher aes128-ctr,aes192-ctr  -kex ecdh-sha2-nistp256,ecdh-sha2-nistp384

    Breaking the above command into the following two commands avoids this issue:

    seccryptocfg --replace -type SSH -cipher aes128-ctr,aes192-ctr
    seccryptocfg --replace -type SSH -kex ecdh-sha2-nistp256,ecdh-sha2-nistp384

  • Another way to avoid the issue is to use the seccryptocfg command in either a telnet session or a serial console port connection.

Resolution:

Upgrade to FOS v8.2.2d, or FOS v9.0.0 or later and then run the seccryptocfg command.

Affected Products

Connectrix B-Series

Products

Connectrix B-Series Software
Article Properties
Article Number: 000220106
Article Type: Solution
Last Modified: 10 ربيع الأول 1447
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.