LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Updating sshd_config with new list of ciphers
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-06-2021, 06:44 PM   #1
mramirez81
LQ Newbie
 
Registered: May 2021
Posts: 3

Rep: Reputation: Disabled
Updating sshd_config with new list of ciphers

Running Centos 7.9.2009 with kernel 5.12.1-1.el7.elrepo.x86_64. I'm trying to update ssh to not use weak ciphers. Running ssh -Q cipher, I get this:

3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

So I added this section to sshd_config. Then systemctl restart sshd. Also tried a reboot. But anytime I rerun ssh -Q cipher, I still get the list above. Not sure how to fix this and need to get this working on about 25 servers. Any help is appreciated.

# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
#RekeyLimit default none

# HostKeyAlgorithms
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss

# KexAlgorithms
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256

I also ran ssh -Q kex and got this below. So as if none of my changes are taking effect:

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-


# MACs
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
 
Old 05-07-2021, 11:49 AM   #2
Turbocapitalist
LQ Guru
Contributing Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,294
Blog Entries: 3

Rep: Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719Reputation: 3719
That polling method only queries the client and reports what is available in principle to that client, not what the server has actually been configured with. The way to see what is going on with the server would be with the -T option and sshd with or without the -C option.

Code:
/usr/sbin/sshd -T | sort | less

/usr/sbin/sshd -T | grep ciphers
 
1 members found this post helpful.
Old 05-11-2021, 06:05 PM   #3
scottieH
Member
 
Registered: Mar 2021
Posts: 58

Rep: Reputation: Disabled
The ciphers should be listed in strongest to weakest order. You have:
Code:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Since the ssh daemon will search the ciphers from left-to right and stop on the first one both machines understand, you'll want to reverse your order:
Code:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This way, you are guaranteed to have the strongest available to both sides of the connection.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding new ciphers to linux , can it be done? sordfish Programming 2 02-22-2013 08:12 AM
SSH - Problem with ciphers HaPagan Linux - Security 7 11-28-2005 05:49 AM
weak ssl ciphers in webmin hari_seldon99 Linux - Security 2 12-04-2004 06:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:42 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration