Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Enabling individual ciphers in the SSH administrative access protocol 7.0.2

Configuring individual ciphers to be used in SSH administrative access can now be done from the CLI. Administrators can select the ciphers and algorithms used for SSH encryption, key exchange, and MAC using the following settings:

config system global
    set strong-crypto enable
    set ssh-enc-algo {chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com}
    set ssh-kex-algo {diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org}
    set ssh-mac-algo {hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com}
end

If strong-crypto is disabled, the diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1 options are available for ssh-kex-algo.

The following settings have been removed from FortiOS:

config system global
    set ssh-cbc-cipher {enable | disable}
    set ssh-hmac-md5 {enable | disable}
    set ssh-kex-sha1 {enable | disable}
    set ssh-mac-weak {enable | disable}
end
To configure individual ciphers in the SSH administrative access protocol:
  1. Configure the ciphers:
    config system global
        set ssh-enc-algo chacha20-poly1305@openssh.com
        set ssh-kex-algo diffie-hellman-group-exchange-sha256
        set ssh-mac-algo hmac-sha2-256
    end
  2. On the client PC, open an SSH connection to the FortiGate using the configured ciphers:
    # ssh -c chacha20-poly1305@openssh.com -m hmac-sha2-256 -o KexAlgorithms=diffie-hellman-group-exchange-sha256  admin@FGT_IPaddress
    admin@172.16.200.1's password:
    FortiGate-101F # get system status
    Version: FortiGate-101F v7.0.2,build0197,210827 (interim)

Enabling individual ciphers in the SSH administrative access protocol 7.0.2

Configuring individual ciphers to be used in SSH administrative access can now be done from the CLI. Administrators can select the ciphers and algorithms used for SSH encryption, key exchange, and MAC using the following settings:

config system global
    set strong-crypto enable
    set ssh-enc-algo {chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com}
    set ssh-kex-algo {diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org}
    set ssh-mac-algo {hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com}
end

If strong-crypto is disabled, the diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1 options are available for ssh-kex-algo.

The following settings have been removed from FortiOS:

config system global
    set ssh-cbc-cipher {enable | disable}
    set ssh-hmac-md5 {enable | disable}
    set ssh-kex-sha1 {enable | disable}
    set ssh-mac-weak {enable | disable}
end
To configure individual ciphers in the SSH administrative access protocol:
  1. Configure the ciphers:
    config system global
        set ssh-enc-algo chacha20-poly1305@openssh.com
        set ssh-kex-algo diffie-hellman-group-exchange-sha256
        set ssh-mac-algo hmac-sha2-256
    end
  2. On the client PC, open an SSH connection to the FortiGate using the configured ciphers:
    # ssh -c chacha20-poly1305@openssh.com -m hmac-sha2-256 -o KexAlgorithms=diffie-hellman-group-exchange-sha256  admin@FGT_IPaddress
    admin@172.16.200.1's password:
    FortiGate-101F # get system status
    Version: FortiGate-101F v7.0.2,build0197,210827 (interim)