Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ system

Information

You can configure the SSH service (also known as sshd) to use a desired set of encryption ciphers, KEX algorithms, and MAC algorithms to meet the
security policy enforced in your environment. This article discusses how to accomplish this by modifying the SSH service configuration using the TMOS shell (tmsh).

By default, the TMOS sys sshd configuration does not include a specific set of ciphers or MAC algorithms for BIG-IP and BIG-IQ systems. The default sys sshd configuration for BIG-IP 15.0.1 appears similar to the following example:

sys sshd {
allow { ALL }
banner disabled
banner-text none
description none
fips-cipher-version 0
inactivity-timeout 0
include none
log-level info
login enabled
port 22
}

The include statement is the line in the TMOS sys sshd configuration where you can include a list of specific encryption ciphers, KEX algorithms, or MAC algorithms into the /config/ssh/sshd_config configuration file. The keywords Ciphers, KexAlgorithms, and MACs are used with the include statement when you specify a list of desired ciphers, KEX algorithms, or MACs. These override pre-existing keywords in the /config/ssh/sshd_config configuration file.

Solution

1. Log in to tmsh by typing the following command:
tmsh

2. To modify the sshd configuration, type the following command to start the vi editor:
edit /sys sshd all-properties

3. To change the list of ciphers, you can navigate to the line that starts with the include statement, and use the keyword Ciphers to add or modify the list of ciphers for the SSH service.
4. Save the changes for the sys sshd configuration and exit the vi editor.
5. Respond y to the prompt asking to save the changes.
6. To save the configuration to disk, type the following command:
save /sys config

See Also

https://support.f5.com/csp/article/K53108777#link_01

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-10, CAT|II, CCI|CCI-000054, Rule-ID|SV-74521r2_rule, STIG-ID|F5BI-DM-000003, Vuln-ID|V-60091

Plugin: F5

Control ID: da756150fa100c21aabf12c8b6ae868e9ac034b8e581d4f3e35719faf7c5d73c