ssh-audit

mirror of https://github.com/jtesta/ssh-audit.git synced 2024-11-16 13:35:39 +01:00

Table of Contents

1. Re-generate the RSA keys
2. Restrict supported key exchange, cipher and MAC algorithms
3. Save the running configuration of the switch to flash
Limitations
Validated versions

ArubaOS Switch or short AOS-S is a network operating system (NOS) used on various switches from Aruba Networks, a subsidiary of HPE. It was formerly known as HP ProVision. Depending on the version of AOS-S not all command may be available, this guide covers AOS-S 16.11.

SSH into a switch running AOS-S, or use a local serial connection in order to apply these options.

1. Re-generate the RSA keys

configure

crypto key generate ssh rsa bits 3072

exit

If the size is omitted, a 2048 Bit RSA key will be generated, 3072 is the largest size supported so far.

2. Restrict supported key exchange, cipher and MAC algorithms

configure

no ip ssh cipher 3des-cbc
no ip ssh cipher aes128-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se

no ip ssh mac hmac-md5
no ip ssh mac hmac-md5-96
no ip ssh mac hmac-sha1
no ip ssh mac hmac-sha1-96

no ip ssh kex ecdh-sha2-nistp256
no ip ssh kex ecdh-sha2-nistp384
no ip ssh kex ecdh-sha2-nistp521
no ip ssh kex diffie-hellman-group14-sha1

# Starting with 16.11.0015:
no ip ssh host-key-algorithm x509v3-ssh-rsa
no ip ssh host-key-algorithm ssh-dss
no ip ssh host-key-algorithm ssh-rsa

exit

3. Save the running configuration of the switch to flash

write memory

Limitations

AOS-S 16.11 doesn't allow you reaching a perfect score, here are some reasons:

Host-key algorithms: AOS-S supports either RSA (up to 3072 Bit) or DSA (up to 1024 Bit) host keys, that's it so far.
MACs: hmac-sha2-256 cannot be disabled, as it is the only remaining after disabling all other insecure MACs.

Validated versions

16.11.x	ssh-audit
YA.16.11.0016	master @ f326d58068c7914ee1af6dbad4a7f67be9d67155
YA.16.11.0013
YA.16.11.0008
YA.16.11.0005

footer2