0 ArubaOS Switch (AOS S) 16.11

Mathieu Simon edited this page 2024-02-02 10:19:18 +01:00

Table of Contents

• 1. Re-generate the RSA keys
• 2. Restrict supported key exchange, cipher and MAC algorithms
• 3. Save the running configuration of the switch to flash
• Limitations
• Validated versions

ArubaOS Switch or short AOS-S is a network operating system (NOS) used on various switches from Aruba Networks, a subsidiary of HPE. It was formerly known as HP ProVision. Depending on the version of AOS-S not all command may be available, this guide covers AOS-S 16.11.

SSH into a switch running AOS-S, or use a local serial connection in order to apply these options.

1. Re-generate the RSA keys

configure

crypto key generate ssh rsa bits 3072

exit

If the size is omitted, a 2048 Bit RSA key will be generated, 3072 is the largest size supported so far.

2. Restrict supported key exchange, cipher and MAC algorithms

configure

no ip ssh cipher 3des-cbc
no ip ssh cipher aes128-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se

no ip ssh mac hmac-md5
no ip ssh mac hmac-md5-96
no ip ssh mac hmac-sha1
no ip ssh mac hmac-sha1-96

no ip ssh kex ecdh-sha2-nistp256
no ip ssh kex ecdh-sha2-nistp384
no ip ssh kex ecdh-sha2-nistp521
no ip ssh kex diffie-hellman-group14-sha1

# Starting with 16.11.0015:
no ip ssh host-key-algorithm x509v3-ssh-rsa
no ip ssh host-key-algorithm ssh-dss
no ip ssh host-key-algorithm ssh-rsa

exit

3. Save the running configuration of the switch to flash

write memory

Limitations

AOS-S 16.11 doesn't allow you reaching a perfect score, here are some reasons:

• Host-key algorithms: AOS-S supports either RSA (up to 3072 Bit) or DSA (up to 1024 Bit) host keys, that's it so far.
• MACs: hmac-sha2-256 cannot be disabled, as it is the only remaining after disabling all other insecure MACs.

Validated versions

16.11.x	ssh-audit
YA.16.11.0016	master @ f326d58068c7914ee1af6dbad4a7f67be9d67155
YA.16.11.0013
YA.16.11.0008
YA.16.11.0005