Running Centos 7.9.2009 with kernel 5.12.1-1.el7.elrepo.x86_64. I'm trying to update ssh to not use weak ciphers. Running ssh -Q cipher, I get this:
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
So I added this section to sshd_config. Then systemctl restart sshd. Also tried a reboot. But anytime I rerun ssh -Q cipher, I still get the list above. Not sure how to fix this and need to get this working on about 25 servers. Any help is appreciated.
# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
#RekeyLimit default none
# HostKeyAlgorithms
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
# KexAlgorithms
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
I also ran ssh -Q kex and got this below. So as if none of my changes are taking effect:
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
# MACs
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1