SSH Ciphers

Latest response

Hello,

I am using RHEL 7.2. I understand I can modify /etc/ssh/sshd.config to remove deprecated/insecure ciphers from SSH. However I am unsure which Ciphers are for MD5 or 96-bit MAC algorithms. Could anyone please point me to the correct names to disable?

Thank you in advanced.
JCH

JH
Log in to join the conversation

Responses

JH Newbie 10 points
28 January 2016 6:54 PM

Answered my own issue, I believe, any willing to confirm?

The steps:

  1. vi /etc/ssh/shh_config
  2. Replace #Cyphers line with: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
  3. Replace #MACs line with: MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  4. Esc --> : --> :wq

Note there will no longer be a # in front of Cyphers and MACs.

  1. vi /etc/ssh/shhd_config
  2. Look for the line "# Ciphers and keying" and "#RekeyLimit default none"
  3. Below "#RekeyLimit default none" add: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  4. Esc --> : --> :wq

From here you will need to restart the sshd service

  1. systemctl stop sshd.service then systemclt start sshd.service (alternatively you can do: systemstl restart sshd.service) systemctl will not give you any verbose information that the service has been restarted. So I stop then run systemctl | grep sshd.service if it is present after running the stop command then it didn't stop.

  2. To test the cypers, type #ssh -vv localhost Look for the listing of allowed ciphers. Nothing should be pointing to MD5 or CBC.

R. Hinton's picture Guru 6827 points
11 March 2016 6:18 PM

Thanks Jason,

[update, I'm doing this on RHEL 7.2]

[2nd update, the below bit for me resolved the very last bit I needed.].

This solution (doesn't cite rhel7.x) https://access.redhat.com/solutions/420283 shows the following in /etc/ssh/sshd_config:

MACs hmac-sha1,hmac-ripemd160

SP Newbie 7 points
24 August 2017 4:12 PM

Hinton / Jason

Doesn't we have to make changes on /etc/ssh/ssh_config. I tried to make below entry on both the files /etc/ssh/sshd_config /etc/ssh/ssh_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160

Please verify

JO Community Member 72 points
6 September 2017 7:55 PM

/etc/ssh/sshd_config is the SSH server config. After modifying it, you need to restart sshd

/etc/ssh/ssh_config is the default SSH client config. You can override it with ~/.ssh/config

Also, ciphers are evaluated in order, so the correct line ought to be: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'

ja Newbie 5 points
7 March 2018 2:12 PM

In RHEL6.9, i do not find the below cipher under /etc/ssh/sshd_config, can you please advise me why they are missing

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

Paolo Airaldi's picture Community Member 25 points
26 March 2018 9:12 AM

Please look at this solution: https://access.redhat.com/solutions/420283

Paolo

Jamie Butler's picture Community Member 79 points
29 March 2018 3:32 PM

You can see what ciphers you have by doing this:

sudo sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"

 sshd -T shows full SSHD config file

Also you could try nmap as well:

nmap -vv --script=ssh2-enum-algos.nse localhost

Or another:

 gnutls-cli -l

Or:

ssh -Q mac

ssh –vv Servername ciphers listed
ssh –Q kex
ssh -Q cipher
 ssh -Q cipher-auth
  ssh -Q mac
  ssh -Q kex
  ssh -Q key
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.