2 Replies Latest reply on Jan 5, 2016 11:50 AM by twisted_pony

    SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms

    twisted_pony

      Hi all,

       

      I am trying to lock down the SSH config on an appliance to reject connections using the above ciphers and algorithms.

      So have edited the sshd_config file  (which as far as can see does not have any reference to these ciphers or algorithms in it..), to include:

       

      Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

      MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160


      Restarting the sshd service works..

       

      So the question is will the addition of these two lines to the foot of the sshd_config file prevent the use of SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms or do I need to do something further?

       

      Any advice appreciated:-)

        • 1. Re: SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms
          twisted_pony

          Update: any thoughts?

           

          Was having a browse on the MWG and discovered this file:

          etc/ssh/ssh_config

           

          which contains

           

          # Host *

          #   ForwardAgent no

          #   ForwardX11 no

          #   RhostsRSAAuthentication no

          #   RSAAuthentication yes

          #   PasswordAuthentication yes

          #   HostbasedAuthentication no

          #   GSSAPIAuthentication no

          #   GSSAPIDelegateCredentials no

          #   GSSAPIKeyExchange no

          #   GSSAPITrustDNS no

          #   BatchMode no

          #   CheckHostIP yes

          #   AddressFamily any

          #   ConnectTimeout 0

          #   StrictHostKeyChecking ask

          #   IdentityFile ~/.ssh/identity

          #   IdentityFile ~/.ssh/id_rsa

          #   IdentityFile ~/.ssh/id_dsa

          #   Port 22

          #   Protocol 2,1

          #   Cipher 3des

          #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

          #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

          #   EscapeChar ~

          #   Tunnel no

          #   TunnelDevice any:any

          #   PermitLocalCommand no

          #   VisualHostKey no

          Host *

           

           

          So if I replace the highlighted text above with:

           

          # Host *

          #   ForwardAgent no

          #   ForwardX11 no

          #   RhostsRSAAuthentication no

          #   RSAAuthentication yes

          #   PasswordAuthentication yes

          #   HostbasedAuthentication no

          #   GSSAPIAuthentication no

          #   GSSAPIDelegateCredentials no

          #   GSSAPIKeyExchange no

          #   GSSAPITrustDNS no

          #   BatchMode no

          #   CheckHostIP yes

          #   AddressFamily any

          #   ConnectTimeout 0

          #   StrictHostKeyChecking ask

          #   IdentityFile ~/.ssh/identity

          #   IdentityFile ~/.ssh/id_rsa

          #   IdentityFile ~/.ssh/id_dsa

          #   Port 22

          #   Protocol 2,1

          #   Cipher 3des

          Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

          MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

          #   EscapeChar ~

          #   Tunnel no

          #   TunnelDevice any:any

          #   PermitLocalCommand no

          #   VisualHostKey no

           

          Does this solve my issue..or do I still have to make the required change on both files and restart the SSH service?

          Also...Do I need to remove the # on both lines in the file above?

           

          Thanks,

          :-)

          1 of 1 people found this helpful
          • 2. Re: SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms
            twisted_pony

            Editing the sshd_config file as described works. The second file does not require editing.

             

            Thanks...