The manipulation of the ssh would be required for a critical network.
When you verify your Secure Shell (SSH) connection to the firewall, the verification uses SSH keys. You can use the CLI to change the default host key type, generate a new pair of public and private SSH host keys, and configure other SSH encryption settings.
The following examples show how to refresh (regenerate) your SSH keys and change various SSH settings after you Access the CLI. The settings marked as recommended provide a stronger security posture.
(Optional) Set the default host key type.
- admin@PA-3060> configure
- admin@PA-3060# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA key-length 256
- admin@PA-3060# commit
- admin@PA-3060# exit
- admin@PA-3060> set ssh service-restart mgmt
- admin@PA-3060> configure
-
admin@PA-3060#show deviceconfig system ssh default-hostkey
Establish when automatic rekeying of the session keys occurs for SSH to the management interface by setting parameters.
- admin@PA-3060# set deviceconfig system ssh session-rekey mgmt data 32
- admin@PA-3060# set deviceconfig system ssh session-rekey mgmt interval 3600
- admin@PA-3060# set deviceconfig system ssh session-rekey mgmt packets 27
- admin@PA-3060# commit
- admin@PA-3060# exit
- admin@PA-3060> set ssh service-restart mgmt
- admin@PA-3060> configure
- admin@PA-3060# show deviceconfig system ssh session-rekey mgmt
(Optional) Set the SSH server to use the specified encryption ciphers.
- admin@PA-3060> configure
-
admin@PA-3060#set deviceconfig system ssh ciphers mgmt cipheraes128-cbc —AES 128-bit cipher with Cipher Block Chainingaes128-ctr —AES 128-bit cipher with Counter Modeaes128-gcm —AES 128-bit cipher with GCM (Galois/Counter Mode)aes192-cbc —AES 192-bit cipher with Cipher Block Chainingaes192-ctr —AES 192-bit cipher with Counter Modeaes256-cbc —AES 256-bit cipher with Cipher Block Chainingaes256-ctr —(Recommended) AES 256-bit cipher with Counter Modeaes256-gcm —(Recommended) AES 256-bit cipher with GCM
- admin@PA-3060# commit
- admin@PA-3060# exit
- admin@PA-3060> set ssh service-restart mgmt
- admin@PA-3060> configure
-
admin@PA-3060# show deviceconfig system ssh ciphers mgmt
(Optional) Delete a cipher from the set of ciphers you selected to encrypt your CLI session to the management interface.
- admin@PA-3060> configure
- admin@PA-3060# delete deviceconfig system ssh ciphers mgmt aes128-cbc
- admin@PA-3060# commit
- admin@PA-3060# exit
- admin@PA-3060> set ssh service-restart mgmt
- admin@PA-3060> configure
-
admin@PA-3060# show deviceconfig system ssh ciphers mgmt
(Optional) Set the session key exchange algorithm for SSH to the management interface.
- admin@PA-3060> configure
-
admin@PA-3060# set deviceconfig system ssh kex mgmt valuediffie-hellman-group14-sha1 —Diffie-Hellman group 14 with SHA1 hashecdh-sha2-nistp256 —(Recommended) Elliptic-Curve Diffie-Hellman over National Institute of Standards and Technology (NIST) P-256 with SHA2-256 hashecdh-sha2-nistp384 —(Recommended) Elliptic-Curve Diffie-Hellman over NIST P-384 with SHA2-384 hashecdh-sha2-nistp521 —(Recommended) Elliptic-Curve Diffie-Hellman over NIST P-521 with SHA2-521 hash
- admin@PA-3060# commit
- admin@PA-3060# exit
- admin@PA-3060> set ssh service-restart mgmt
(Optional) Set the message authentication code (MAC) for SSH to the management interface.
- admin@PA-3060> configure
-
admin@PA-3060# set deviceconfig system ssh mac mgmt valuehmac-sha1 —MAC with SHA1 cryptographic hashhmac-sha2-256 —(Recommended) MAC with SHA2-256 cryptographic hashhmac-sha2-512 —(Recommended) MAC with SHA2-512 cryptographic hash
- admin@PA-3060# commit
- admin@PA-3060# exit
- admin@PA-3060> set ssh service-restart mgmt
Regenerate ECDSA or RSA host keys for SSH to replace the existing keys.
- admin@PA-3060> configure
- admin@PA-3060# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
- admin@PA-3060# commit
- admin@PA-3060> exit
-
admin@PA-3060> set ssh service-restart mgmt
For Document Reference :
Click Me or https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection.html
Leave A Comment?