How to disable Weak Cipher, insecure HMAC and Key Exchange Algorithms in SSH servers of CentOS/RHEL 6
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a '+
' characters, then the specified ciphers will be appended to the default set instead of replacing them.
The supported ciphers are:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com
The defaults is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,aes192-cbc,aes256-cbc,
blowfish-cbc,cast128-cbc,3des-cbc
In order to disable the cbc
, arcfour
ciphers please update /etc/ssh/sshd_config with Ciphers that are required exception the cbc
, arcfour
ciphers.
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This line allows only AES-based
ciphers with counter mode (CTR
), which are considered stronger than week algorithms like MD5
.
Restart the sshd
service after the changes have been made.
MACs
MACs specifies the available MAC (message authentication code) algorithms. The MAC algorithms is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begin with a '+
' character, then specified algorithms will be appended to the default set instead of replacing them.
The algorithms that contain “-etm
" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are:
The default is:
In order to disable the week MAC algorithms, update /etc/ssh/sshd_config with the MACs that are required for example:
This line allows only HMAC-SHA2 algorithms with a 256-bit and 512-bit hash functions, respectively. These algorithms are consider stronger than 96-bit MAC algorithms.
Restart the sshd
service after the changes have been made.
KexAlgorithms
KexAlgorithms defines the key exchange algorithms allowed by the SSH server. If the specified value begins with '+
' character, then the specified key exchange algorithms will be appended to the default set instead of replacing them.
The default key exchange algorithms:
Modify the line to remove any week MAC algorithms. For example:
This line allows only the Diffie-Hellman key exchange algorithms with SHA256 for better security.
Restart the sshd
service after the changes have been made.
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.