Add references, try simplifying

Mathieu Simon 2023-09-12 12:04:05 +02:00
parent 7780fe0314
commit 5d061fc2ca

@ -4,10 +4,17 @@ SSH into an appliance running FortiOS, or use a local serial connection in order
## FortiOS >= 7.4.1 ## FortiOS >= 7.4.1
Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are available. Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are configurable.
``` ```
config system global config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands represent the default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-hostkey-algo ssh-ed25519 set ssh-hostkey-algo ssh-ed25519
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
@ -15,62 +22,50 @@ set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
end end
``` ```
**Checking the defaults** **References:**
Unless you have modified the defaults, you don't need to these, but you may still want to check them: * [Fortinet document library: FortiGate / FortiOS 7.4.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.1/cli-reference/1620)
* ``admin-ssh-v1``: Should default to **disabled** since 6.4.5 * [Fortinet document library: FortiGate / FortiOS 7.4.0 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/1620)
* ``strong-crypto``: Should default to **enabled** since 6.4.5
```
get system global | grep "ssh\|strong-crypto"
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
ssh-hostkey-algo : ssh-ed25519
ssh-kex-algo : diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
strong-crypto : enable
```
## FortiOS >= 7.0.2 / 7.2.x / 7.4.0 ## FortiOS >= 7.0.2 / 7.2.x / 7.4.0
Starting FortiOS 7.0.2 several options have been renamed compared to previous releases. Starting with FortiOS 7.0.2 ciphers become individually configurable, several options have been renamed compared to previous releases.
``` ```
config system global config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands change default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-kex-algo curve25519-sha256@libssh.org set ssh-kex-algo curve25519-sha256@libssh.org
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
end end
``` ```
**Checking the defaults** **References**
Unless you have modified the defaults, you don't need to these, but you may still want to check them: * [Fortinet document library: FortiGate / FortiOS 7.0.0 > New Features > Enabling individual ciphers in the SSH administrative access protocol](https://docs.fortinet.com/document/fortigate/7.0.0/new-features/765236/enabling-individual-ciphers-in-the-ssh-administrative-access-protocol-7-0-2)
* ``admin-ssh-v1``: Should default to **disabled** since 6.4.5 * [Fortinet document library: FortiGate / FortiOS 7.0.2 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/1620)
* ``strong-crypto``: Should default to **enabled** since 6.4.5 * [Fortinet document library: FortiGate / FortiOS 7.0.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/1620)
``` ## FortiOS >= 5.6.0 <= 7.0.1
get system global | grep "ssh\|strong-crypto"
admin-ssh-grace-time: 120 Starting with _at least_ FortiOS 5.6.0 ``strong-crypto`` defaults to **enable** and SSHv1 defaults to disabled.
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
ssh-kex-algo : curve25519-sha256@libssh.org
ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
strong-crypto : enable
```
## FortiOS >= 6.4.5 < 7.0.2
After FortiOS 6.4.5 ``strong-crypto`` defaults to **enable**.
``` ```
config system global config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands change default settings
set dh-params 8192
set ssh-cbc-cipher disable set ssh-cbc-cipher disable
set ssh-hmac-md5 disable set ssh-hmac-md5 disable
set ssh-kex-sha1 disable set ssh-kex-sha1 disable
@ -78,8 +73,16 @@ set ssh-mac-weak disable
end end
``` ```
**References**
* [Fortinet document library: FortiGate / FortiOS 6.4.0 > Hardening your FortiGate > Building security into FortiOS](http://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/building-security-into-fortios)
* [Fortinet document library: FortiGate / FortiOS 6.2.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103)
* [Fortinet document library: FortiGate / FortiOS 6.0.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103)
* [Fortinet document library: FortiGate / FortiOS 5.6.0 > Hardening your FortiGate](https://docs.fortinet.com/document/fortigate/5.6.0/hardening-your-fortigate/995103)
## Limitations ## Limitations
In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons: In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons:
* Host-key algorithms: Only pretty recent FortiOS 7.4.1 and later permit changing host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases. * Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled.
* Host-key algorithms: Only pretty recent FortiOS version 7.4.1 or later permit configuring host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases.