SSH: How to disable weak ciphers?
Security team of my organization told us to disable weak ciphers due to they issue weak keys.
arcfour arcfour128 arcfour256
But I tried looking for these ciphers in ssh_config and sshd_config file but found them commented.
grep arcfour * ssh_config:# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Where else I should check to disable these ciphers from SSH?
for SSH server it will be in `/etc/ssh/sshd_config` and for the SSH client it will be in `/etc/ssh/ssh_config`. You want to look for the `Cipher` line in each, and for example have just `Cipher aes256-ctr` specified. Then restart SSH via `/etc/init.d/sshd restart` or via the equivalent systemd command.
you want to become knowledgeable about all the parameters in `sshd_config` if you really care about SSH security, otherwise it can be all security theater.
@ron the second comment is an intriguing one, can you illustrate with an example what you intend?
the `ciphers` list is just one setting out of many for having SSH properly implemented... Protocol, PermitRootLogin, AuthorizedKeysFile, PermitEmptyPasswords, IgnoreRhosts, PermitTunnel, and so on. You can rely on their default settings as implemented in your linux distribution, but `Ignornance is bliss only up until you have a problem`
If you have no explicit list of ciphers set in
Cipherskeyword, then the default value, according to
man 5 ssh_config(client-side) and
man 5 sshd_config(server-side), is:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [email protected],[email protected], [email protected], aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour
Note the presence of the arcfour ciphers. So you may have to explicitly set a more restrictive value for
ssh -Q cipherfrom the client will tell you which schemes your client can support. Note that this list is not affected by the list of ciphers specified in
ssh_config. Removing a cipher from
ssh_configwill not remove it from the output of
ssh -Q cipher. Furthermore, using
-coption to explicitly specify a cipher will override the restricted list of ciphers that you set in
ssh_configand possibly allow you to use a weak cipher. This is a feature that allows you to use your
sshclient to communicate with obsolete SSH servers that do not support the newer stronger ciphers.
nmap --script ssh2-enum-algos -sV -p <port> <host>will tell you which schemes your server supports.
Hi , I mentioned specific ciphers in ssh_config and restarted ssh service but when I did ssh -Q cipher I am still getting all ciphers that I am getting earlier irrespective of my configuration.
I'm sorry, `ssh_config` is the client-side config, the server-side config is `sshd_config`, please try that. (It's also called `Ciphers` there.)
Yeah I know but when I grep for ciphers I found them at ssh_config so I did changes there. As production server I am not doing anything I am not sure