SSH Manipulation – Palo Alto

The manipulation of the ssh would be required for a critical network.

When you verify your Secure Shell (SSH) connection to the firewall, the verification uses SSH keys. You can use the CLI to change the default host key type, generate a new pair of public and private SSH host keys, and configure other SSH encryption settings.
The following examples show how to refresh (regenerate) your SSH keys and change various SSH settings after you Access the CLI. The settings marked as recommended provide a stronger security posture.
(Optional) Set the default host key type.

Establish when automatic rekeying of the session keys occurs for SSH to the management interface by setting parameters.

(Optional) Set the SSH server to use the specified encryption ciphers.
  • [email protected]>  configure
  • [email protected]#

    set deviceconfig system ssh ciphers mgmt cipher
    aes128-cbc —AES 128-bit cipher with Cipher Block Chaining
    aes128-ctr —AES 128-bit cipher with Counter Mode
    aes128-gcm —AES 128-bit cipher with GCM (Galois/Counter Mode)
    aes192-cbc —AES 192-bit cipher with Cipher Block Chaining
    aes192-ctr —AES 192-bit cipher with Counter Mode
    aes256-cbc —AES 256-bit cipher with Cipher Block Chaining
    aes256-ctr —(Recommended) AES 256-bit cipher with Counter Mode
    aes256-gcm —(Recommended) AES 256-bit cipher with GCM
  • [email protected]# commit
  • [email protected]# exit
  • [email protected]> set ssh service-restart mgmt
  • [email protected]> configure
  • [email protected]# show deviceconfig system ssh ciphers mgmt
(Optional) Delete a cipher from the set of ciphers you selected to encrypt your CLI session to the management interface.
(Optional) Set the session key exchange algorithm for SSH to the management interface.
  • [email protected]>  configure
  • [email protected]#  set deviceconfig system ssh kex mgmt value
    diffie-hellman-group14-sha1 —Diffie-Hellman group 14 with SHA1 hash
    ecdh-sha2-nistp256 —(Recommended) Elliptic-Curve Diffie-Hellman over National Institute of Standards and Technology (NIST) P-256 with SHA2-256 hash
    ecdh-sha2-nistp384 —(Recommended) Elliptic-Curve Diffie-Hellman over NIST P-384 with SHA2-384 hash
    ecdh-sha2-nistp521 —(Recommended) Elliptic-Curve Diffie-Hellman over NIST P-521 with SHA2-521 hash
  • [email protected]# commit
  • [email protected]# exit
  • [email protected]> set ssh service-restart mgmt
(Optional) Set the message authentication code (MAC) for SSH to the management interface.
Regenerate ECDSA or RSA host keys for SSH to replace the existing keys.

For Document Reference :

Click Me or https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection.html

 

Was this article helpful?

Related Articles

Leave A Comment?