To improve ePMP security Cambium Networks is planning to deprecate legacy SSH algorithms usage for ePMP and PTP550 product lines in the upcoming software releases.
The following key exchange, host-key, message authentication code, and encryption algorithms are deprecated starting with firmware version 4.7.0 and 5.2.0 but still enabled:
- ssh-rsa – key algorithm to remove
- diffie-hellman-group14-sha1 – kex algorithm to remove
- hmac-sha1 – mac algorithm to remove
Starting with firmware version 4.8.0 and 5.3.0 deprecated algorithm support will be turned off by default.
Outdated SSH clients might lack the support of modern algorithms and be unable to establish an SSH connection to ePMP devices with disabled support of deprecated algorithms.
Ubuntu 12.04 with default OpenSSH client and MikroTik RouterOS 6.48.3 will be unable to establish an SSH connection to an ePMP radio.
To provide network administrators options for a smooth migration and to minimize service outages there will be an option to enable deprecated algorithms support.
Via GUI
System → General → Deprecated SSH Algorithms.
Via CLI
ePMP3000>config set cambiumSSHServerDeprecatedAlgorithms 1
(1 – enabled, 0 – disabled)
Via SNMP:
cambiumSSHServerDeprecatedAlgorithms OBJECT-TYPE
SYNTAX Integer32 (0|1)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Cambium SSH Server: support deprecated algorithms
0 - Disable
1 - Enable
Device Allocation: AP, SM"
Via CnMaestro template:
{
"device_props": {
"cambiumSSHServerDeprecatedAlgorithms": "1"
}
}
In SW 4.7.0 and 5.2.0 old algorithms support option is enabled by default. In next releases it will bedisabled by default.
Here is the full list of algorithms present in 4.6.1:
| Algorithm | Notes |
|---|---|
| key exchange algorithms | |
| curve25519-sha256 | available since OpenSSH 7.4, Dropbear SSH 2018.76 |
| curve25519-sha256@libssh.org | available since OpenSSH 6.5, Dropbear SSH 2013.62 |
| diffie-hellman-group14-sha256 | available since OpenSSH 7.3, Dropbear SSH 2016.73 |
| diffie-hellman-group14-sha1 |
|
| kexguess2@matt.ucc.asn.au | available since Dropbear SSH 2013.57 |
| host-key algorithms | |
| ssh-rsa (2048-bit) |
|
| encryption algorithms (ciphers) | |
| aes128-ctr | available since OpenSSH 3.7, Dropbear SSH 0.52 |
| aes256-ctr | available since OpenSSH 3.7, Dropbear SSH 0.52 |
| message authentication code (MAC) algorithms | |
| hmac-sha1 |
|
| hmac-sha2-256 |
|
The list of algorithms in 4.7.0 with old algorithms support disabled:
| Algorithm | Notes |
|---|---|
| key exchange algorithms | |
| curve25519-sha256 | available since OpenSSH 7.4, Dropbear SSH 2018.76 |
| curve25519-sha256@libssh.org | available since OpenSSH 6.5, Dropbear SSH 2013.62 |
| diffie-hellman-group14-sha256 | available since OpenSSH 7.3, Dropbear SSH 2016.73 |
| kexguess2@matt.ucc.asn.au | available since Dropbear SSH 2013.57 |
| host-key algorithms | |
| ssh-ed25519 | available since OpenSSH 6.5 |
| rsa-sha2-256 (2048-bit) | available since OpenSSH 7.2 |
| encryption algorithms (ciphers) | |
| aes128-ctr | available since OpenSSH 3.7, Dropbear SSH 0.52 |
| aes256-ctr | available since OpenSSH 3.7, Dropbear SSH 0.52 |
| message authentication code (MAC) algorithms | |
| hmac-sha2-256 |
|