-
-
Notifications
You must be signed in to change notification settings - Fork 179
ArubaOS Switch (AOS S) 16.11
Mathieu Simon edited this page Feb 2, 2024
·
10 revisions
ArubaOS Switch or short AOS-S is a network operating system (NOS) used on various switches from Aruba Networks, a subsidiary of HPE. It was formerly known as HP ProVision. Depending on the version of AOS-S not all command may be available, this guide covers AOS-S 16.11.
SSH into a switch running AOS-S, or use a local serial connection in order to apply these options.
configure
crypto key generate ssh rsa bits 3072
exit
If the size is omitted, a 2048 Bit RSA key will be generated, 3072 is the largest size supported so far.
configure
no ip ssh cipher 3des-cbc
no ip ssh cipher aes128-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher [email protected]
no ip ssh mac hmac-md5
no ip ssh mac hmac-md5-96
no ip ssh mac hmac-sha1
no ip ssh mac hmac-sha1-96
no ip ssh kex ecdh-sha2-nistp256
no ip ssh kex ecdh-sha2-nistp384
no ip ssh kex ecdh-sha2-nistp521
no ip ssh kex diffie-hellman-group14-sha1
# Starting with 16.11.0015:
no ip ssh host-key-algorithm x509v3-ssh-rsa
no ip ssh host-key-algorithm ssh-dss
no ip ssh host-key-algorithm ssh-rsa
exit
write memory
AOS-S 16.11 doesn't allow you reaching a perfect score, here are some reasons:
- Host-key algorithms: AOS-S supports either RSA (up to 3072 Bit) or DSA (up to 1024 Bit) host keys, that's it so far.
- MACs:
hmac-sha2-256cannot be disabled, as it is the only remaining after disabling all other insecure MACs.
| 16.11.x | ssh-audit |
|---|---|
| YA.16.11.0016 | master @ f326d58068c7914ee1af6dbad4a7f67be9d67155 |
| YA.16.11.0013 | |
| YA.16.11.0008 | |
| YA.16.11.0005 |