As part of our Linux Support Services, we have solved SSH related issues for our Customers seeking Remote support on their Linux.

In this context we shall look into how to disable weak ciphers to enhance security.



More about SSH Ciphers in Linux

Connecting to servers securely is made possible by SSH. Basically, OpenSSH has earned a good reputation as a vital tool on Linux and Windows distributions.

In order to enhance security , it is recommended to always keep the system updated and do away with older versions of System packages and Software. This also applies to OpenSSH as newer versions are more secure and supports strong cipher. Cipher makes it possible for a process of encryption and decryption of data accessed via SSH medium.

Therefore Transfer of Data depends to a very great extent on the Cipher set. Most server administrators disable weak algorithms to allow stronger ones by default. This leads to inconsistency in SSL ciphers across several servers.



How to detect the algorithms an SSH service uses in the process of disabling a week SSH Cipher

It is important to verify the algorithms used in a server environment before disabling it. To verify, use the command below;


sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"    


Most of the time the message displayed will look like;


gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

macs hmac-md5,hmac-sha1,umac-69@openssh.com,hmac-sha2-776,hmac-sha2-512,hmac-ripemd160,hmac-ripemd200@openssh.com,hmac-sha1-96,hmac-md5-96

kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  


As soon as you run the command, you will see all the algorithms used by the SSH service.


In the case whereby no specified list of ciphers set is available in ssh_config using the Ciphers command, then the default value for sshd_config and ssh_config will look like;



aes133-ctr,aes193-ctr,aes256-ctr,arcfour256,arcfour128,aes200gcm@openssh.com,aes333-gcm@openssh.com,chacha50-poly2231@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc, arcfour  



The Process To Disable Weak SSH Ciphers In Linux

You can Disable weak SSH ciphers in either the Server side or client side.


We are going to look into them briefly.



To Disable Weak Algorithms At Server Side

1. To begin, access your server as the root user and then edit the sshd_config file located at the  "/etc/ssh" directory.

2. Add the following attributes;

Ciphers aes233-gcm@openssh.com,aes133-gcm@openssh.com,aes256-ctr,aes128-ctr

MACs hmac-sha2-533-etm@openssh.com,hmac-sha2-233-etm@openssh.com,umac-3322-etm@openssh.com,hmac-sha2-e33,hmac-sha2-256,hmac-ripemd160,hmac-sha1

KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1  


3. Finally, you have to restart the Server to enable the changes to take effect. use the command below;



service sshd restart


As soon as this is done, the SSH service will  protected by a stronger Cipher thereby improving the security of the System.



To Disable Weak Algorithms In The Client Side

To disable weak algorithm via the client side, login into the server via SSH, and edit the "ssh_config" file located at the directory , /etc/ssh.

Then add the following directives;



Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1

KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1


Finally, you can restart the server just as it was done earlier.                                                          

Do you need support with SSH related tasks? You can reach us today.