How to disable SSH cipher/ MAC algorithms

MVP Expert
MVP Expert

Requirement:

Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:

arcfour
arcfour128
arcfour256

Below are some of the Message Authentication Code (MAC) algorithms:

hmac-md5
hmac-md5-96
hmac-sha1-96



Solution:

Based on the SSH scan result you may want to disable these encryption algorithms or ciphers. 

But before that you could check the current allowed ciphers using the command below: 

# sshd -T | grep "\(ciphers\|macs\)"



Configuration:

You could disable the Ciphers using the command below: 

# vi /etc/ssh/sshd_config

Press key ‘i’ to insert copy the lines below to the end of the file.

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com

 

Now save the file by pressing keys ‘Esc’ => ’:’ => ‘wq!’

 

Then restart the sshd service:

# service sshd restart

 



Verification

You could run the command again to verify allowed ciphers:

# sshd -T | grep "\(ciphers\|macs\)"

 

This would only show the allowed algorithms now. 

Version history
Revision #:
4 of 4
Last update:
‎09-09-2019 09:00 AM
Updated by:
 
Labels (1)
Contributors
Comments

How is this done with Airwave AMP 8.2.4, where the shell CLI is no longer available?

Within the Cli on the device (Switch cli)

sign in and type config then type the following commands

sh ip ssh

no ip ssh cipher Commandbelow 

aes128-cbc

3des-cbc

aes192-cbc

aes256-cbc

aes128-ctr

aes192-ctr

rijndael-cbc@lysator.liv.se

 

no ip ssh mac Commandbelow

hmac-md5

hmac-md5-96

hmac-sha1

hmac-sha1-96

I followed the instructions, but using the algo's I needed to disable.

kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
ciphers 3des-cbc, blowfish-cbc, cast128-cbc
macs hmac-sha1, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com

And now I can no longer access my SSH, and without access to SSH I can't even undo the changes, how can I fix this please? Other than deleting my server and losing 5 days of work.SSH.jpg

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: