Symptom

Conditions

Customer scan report is reporting weak key algorithms enabled and wants to disable them. Using CLI we have limited options to enable or disable the key or kex or cipher algorithms For Kexalgos, either we can enable only ecdh-sha2-nistp384 or all kexalgos. For ciphers we have option to set either aes256-gcm or all. For macs we have only one option to "enable all" macs algorithms. The value remains intact even after reload by modifying through CLI. No option to enable or disable these algorithms individually.

Workaround

Currently the workaround to disable the weak algorithms as per customer requirement is by manually modifying the dcos_sshd_config file at kernel level. This configuration will only persist until the Nexus device is up and will take default values on reload, so it's only a temporary workaround.

Further Problem Description

Need Option at CLI level so that customer can enable/disable the algorithms as per their requirement and the change by CLI (bash-shell) should be permanent and shouldn’t change after switch reload. The devices support the following weak key exchange algorithms (KEX): • diffie-hellman-group-exchange-sha1 • diffie-hellman-group-exchange-sha256 • diffie-hellman-group14-sha1 • ecdh-sha2-nistp256 • ecdh-sha2-nistp384 • ecdh-sha2-nistp521 The devices support the following weak host-key algorithms (KEY): • ssh-rsa • ecdsa-sha2-nistp256 The devices support the following weak encryption algorithms (ENC ciphers): • aes128-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.se The devices support the following weak message authentication code algorithms (MAC): • hmac-sha1 • hmac-md5 • hmac-md5-96 • hmac-sha1-96 • hmac-ripemd160 • hmac-ripemd160@openssh.com • hmac-ripemd160-etm@openssh.com • hmac-md5-etm@openssh.com • hmac-md5-96-etm@openssh.com • hmac-sha1-etm@openssh.com • hmac-sha2-256 • hmac-sha2-512 • umac-128@openssh.com • umac-64-et@openssh.com • umac-64@openssh.com