cancel
Showing results for 
Search instead for 
Did you mean: 
twisted_pony
Level 9

SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Hi all,

I am trying to lock down the SSH config on an appliance to reject connections using the above ciphers and algorithms.

So have edited the sshd_config file  (which as far as can see does not have any reference to these ciphers or algorithms in it..), to include:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160


Restarting the sshd service works..

So the question is will the addition of these two lines to the foot of the sshd_config file prevent the use of SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms or do I need to do something further?

Any advice appreciated:-)

0 Kudos
1 Solution

Accepted Solutions
twisted_pony
Level 9

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Editing the sshd_config file as described works. The second file does not require editing.

Thanks...

0 Kudos
2 Replies
twisted_pony
Level 9

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Update: any thoughts?

Was having a browse on the MWG and discovered this file:

etc/ssh/ssh_config

which contains

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

Host *

So if I replace the highlighted text above with:

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

Does this solve my issue..or do I still have to make the required change on both files and restart the SSH service?

Also...Do I need to remove the # on both lines in the file above?

Thanks,

:-)

twisted_pony
Level 9

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Editing the sshd_config file as described works. The second file does not require editing.

Thanks...

0 Kudos