Enabling individual ciphers in the SSH administrative access protocol 7.0.2
Configuring individual ciphers to be used in SSH administrative access can now be done from the CLI. Administrators can select the ciphers and algorithms used for SSH encryption, key exchange, and MAC using the following settings:
config system global
set strong-crypto enable
set ssh-enc-algo {chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com}
set ssh-kex-algo {diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org}
set ssh-mac-algo {hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com}
end
If strong-crypto is disabled, the diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1 options are available for ssh-kex-algo.
The following settings have been removed from FortiOS:
config system global
set ssh-cbc-cipher {enable | disable}
set ssh-hmac-md5 {enable | disable}
set ssh-kex-sha1 {enable | disable}
set ssh-mac-weak {enable | disable}
end
To configure individual ciphers in the SSH administrative access protocol:
- Configure the ciphers:
config system global set ssh-enc-algo chacha20-poly1305@openssh.com set ssh-kex-algo diffie-hellman-group-exchange-sha256 set ssh-mac-algo hmac-sha2-256 end - On the client PC, open an SSH connection to the FortiGate using the configured ciphers:
# ssh -c chacha20-poly1305@openssh.com -m hmac-sha2-256 -o KexAlgorithms=diffie-hellman-group-exchange-sha256 admin@FGT_IPaddress admin@172.16.200.1's password: FortiGate-101F # get system status Version: FortiGate-101F v7.0.2,build0197,210827 (interim)