Monitoring, Management & Location Tracking

How to disable obsolete SSH cipher/ MAC algorithms
Requirement:

Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:

arcfour
arcfour128
arcfour256

Below are some of the Message Authentication Code (MAC) algorithms:

hmac-md5
hmac-md5-96
hmac-sha1-96



Solution:

Based on the SSH scan result you may want to disable these obsolete encryption algorithms or ciphers. 

But before that you could check the current allowed ciphers using the command below: 

# sshd -T | grep "\(ciphers\|macs\)"



Configuration:

You could disable the Ciphers using the command below: 

# vi /etc/ssh/sshd_config

Press key ‘i’ to insert copy the lines below to the end of the file.

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com

 

Now save the file by pressing keys ‘Esc’ => ’:’ => ‘wq!’

 

Then restart the sshd service:

# service sshd restart

 



Verification

You could run the command again to verify allowed ciphers:

# sshd -T | grep "\(ciphers\|macs\)"

 

This would only show the allowed algorithms now. 

Version History
Revision #:
2 of 2
Last update:
4 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.