HMC - how to disable inappropriate ciphers

By kimot, 9 April, 2024

If you got from your security department report with some vulnerabilities on HMC SSH port :
Supports following CBC Client to Server algorithm               : 3des-cbc
Supports following CBC Client to Server algorithm               : aes128-cbc
Supports following CBC Client to Server algorithm               : aes256-cbc
Supports following CBC Client to Server algorithm               : aes192-cbc
Supports following Encrypt-then-MAC Client to Server algorithm  : hmac-sha1-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm  : hmac-sha2-256-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm  : umac-64-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm  : umac-128-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm  : hmac-sha2-512-etm@openssh.com


You can list ciphers defined on your HMC with lshmcencr command. Use option webui for ciphers used on web user interface. Options ssh and sshmac are used for ssh interface.

With command chhmcensr and option r you can remove given cipher. In example below you can se how these commands works.

user@HMC:~> lshmcencr -c ssh -t c
"curr_encryptions=aes128-cbc,aes128-ctr,aes128-gcm@openssh.com,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,rijndael-cbc@lysator.liu.se"

user@HMC:~> chhmcencr -c ssh -o r -e chacha20-poly1305@openssh.com
user@HMC:~> chhmcencr -c ssh -o r -e rijndael-cbc@lysator.liu.se
user@HMC:~> chhmcencr -c ssh -o r -e aes128-cbc
user@HMC:~> chhmcencr -c ssh -o r -e aes192-cbc
user@HMC:~> chhmcencr -c ssh -o r -e aes256-cbc

user@HMC:~> lshmcencr -c ssh -t c
"curr_encryptions=aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-ctr,aes256-gcm@openssh.com"

 

If you accidentally remove the cipher you want to use from the list. Nothing is lost. You can add it again using the option a.

user@HMC:~> lshmcencr -c ssh -t c
"curr_encryptions=aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-ctr,aes256-gcm@openssh.com"

chhmcencr -c ssh -o a -e chacha20-poly1305@openssh.com

user@HMC:~> lshmcencr -c ssh -t c
"curr_encryptions=chacha20-poly1305@openssh.com,aes128-ctr,aes128-gcm@openssh.com,aes192-ctr,aes256-ctr,aes256-gcm@openssh.com"