- Article History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Alert a Moderator
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
How to disable SSH cipher/ MAC algorithms
Requirement:
Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:
arcfour
arcfour128
arcfour256
Below are some of the Message Authentication Code (MAC) algorithms:
hmac-md5
hmac-md5-96
hmac-sha1-96
Solution:
Based on the SSH scan result you may want to disable these encryption algorithms or ciphers.
But before that you could check the current allowed ciphers using the command below:
# sshd -T | grep "\(ciphers\|macs\)"
Configuration:
You could disable the Ciphers using the command below:
# vi /etc/ssh/sshd_config
Press key ‘i’ to insert copy the lines below to the end of the file.
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com
Now save the file by pressing keys ‘Esc’ => ’:’ => ‘wq!’
Then restart the sshd service:
# service sshd restart
Verification
You could run the command again to verify allowed ciphers:
# sshd -T | grep "\(ciphers\|macs\)"
This would only show the allowed algorithms now.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Alert a Moderator
How is this done with Airwave AMP 8.2.4, where the shell CLI is no longer available?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Alert a Moderator
Within the Cli on the device (Switch cli)
sign in and type config then type the following commands
sh ip ssh
no ip ssh cipher Commandbelow
aes128-cbc
3des-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
rijndael-cbc@lysator.liv.se
no ip ssh mac Commandbelow
hmac-md5
hmac-md5-96
hmac-sha1
hmac-sha1-96
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Alert a Moderator
I followed the instructions, but using the algo's I needed to disable.
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
ciphers 3des-cbc, blowfish-cbc, cast128-cbc
macs hmac-sha1, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com
And now I can no longer access my SSH, and without access to SSH I can't even undo the changes, how can I fix this please? Other than deleting my server and losing 5 days of work.