SSH Ciphers

Latest response

Hello,

I am using RHEL 7.2. I understand I can modify /etc/ssh/sshd.config to remove deprecated/insecure ciphers from SSH. However I am unsure which Ciphers are for MD5 or 96-bit MAC algorithms. Could anyone please point me to the correct names to disable?

Thank you in advanced.
JCH

Responses

Answered my own issue, I believe, any willing to confirm?

The steps:

  1. vi /etc/ssh/shh_config
  2. Replace #Cyphers line with: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
  3. Replace #MACs line with: MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  4. Esc --> : --> :wq

Note there will no longer be a # in front of Cyphers and MACs.

  1. vi /etc/ssh/shhd_config
  2. Look for the line "# Ciphers and keying" and "#RekeyLimit default none"
  3. Below "#RekeyLimit default none" add: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  4. Esc --> : --> :wq

From here you will need to restart the sshd service

  1. systemctl stop sshd.service then systemclt start sshd.service (alternatively you can do: systemstl restart sshd.service) systemctl will not give you any verbose information that the service has been restarted. So I stop then run systemctl | grep sshd.service if it is present after running the stop command then it didn't stop.

  2. To test the cypers, type #ssh -vv localhost Look for the listing of allowed ciphers. Nothing should be pointing to MD5 or CBC.

Thanks Jason,

[update, I'm doing this on RHEL 7.2]

[2nd update, the below bit for me resolved the very last bit I needed.].

This solution (doesn't cite rhel7.x) https://access.redhat.com/solutions/420283 shows the following in /etc/ssh/sshd_config:

MACs hmac-sha1,hmac-ripemd160

Hinton / Jason

Doesn't we have to make changes on /etc/ssh/ssh_config. I tried to make below entry on both the files /etc/ssh/sshd_config /etc/ssh/ssh_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160

Please verify

/etc/ssh/sshd_config is the SSH server config. After modifying it, you need to restart sshd

/etc/ssh/ssh_config is the default SSH client config. You can override it with ~/.ssh/config

Also, ciphers are evaluated in order, so the correct line ought to be: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'

In RHEL6.9, i do not find the below cipher under /etc/ssh/sshd_config, can you please advise me why they are missing

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

Please look at this solution: https://access.redhat.com/solutions/420283

Paolo

You can see what ciphers you have by doing this:

sudo sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
 sshd -T shows full SSHD config file 

Also you could try nmap as well:

nmap -vv --script=ssh2-enum-algos.nse localhost

Or another:

 gnutls-cli -l

Or:

ssh -Q mac
ssh –vv Servername ciphers listed
ssh –Q kex
ssh -Q cipher
 ssh -Q cipher-auth
  ssh -Q mac
  ssh -Q kex
  ssh -Q key

I have change this MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512 but sshd service is not working in rhel 5.9 , Please help

Hi Navin,

Blunt advice : RHEL 5.9 is outdated ... please consider installing a current edition - either RHEL 7.7 of RHEL 8.1 ! :)

Regards,
Christian

Navin Kimar,

Christian is absolutely correct. RHEL 5.x is horribly out of date, and has glaring security issues because it has not been supported for quite some time now.

Do you by the way have a backup copy (or extra copy) of your sshd_config?

When did this issue arise, was it after the change of your /etc/ssh/sshd_config file? Was there another change? Can you revert your change and attempt ssh? Please highly consider replacing that server, however while you have it, either consider temporarily reverting your recent changes that caused the issue, or try a different MACs configuration in that file.

Let us know, Regards
RJ

Navin Kumar

Navin, see this solution first https://access.redhat.com/solutions/420283 However, those Ciphers/MACs listed there may or may not work with RHEL 5.9. See next Red Hat Solution below

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_BACKUP_20200115
# echo make the recommended chages to Ciphers in the Red Hat solution 1181463 listed above.
service sshd restart

Please take Christian Labisch's advice above, build a new system with a supported version of Red Hat.

Let us know, Regards
RJ

Hi I have LINUX 7.8 I am getting SSH Server Supports RC4 Cipher Algorithms and Weak Key Exchange Algorithms I have used

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com MACs hmac-sha1,hmac-ripemd160

but still Vulnerability alive

Anup, I know it's a bit late, but are you using Nessus for vulnerability scanning, by chance? I found that it recently reports on both ssh_config AND sshd_config settings for the configuration. For me, editing the Ciphers in both the server's sshd service config and ssh client config resolved the Vulnerability report.