Home » How to disable weak SSH ciphers in Linux

How to disable weak SSH ciphers in Linux

  • by

To connect to remote computers, SSH is a standard protocol. Evidently, OpenSSH also has become a popular essential tool on Linux, BSD’s, OS X, and Windows. this below tutorial How to disable weak SSH ciphers in Linux

However, older OpenSSH installations may not support strong ciphers or protocols. As a result, new OpenSSH installations often enable relatively weak ciphers/protocols ensuring backward-compatibility with older clients.

Cipher is a set of procedures for performing encryption or decryption of data with SSH protocol.

The data transfer is dependable on Cipher set. By default, most server administrators always disable weak algorithms and only allow stronger ones. As a result, this leads to a mismatch in SSL ciphers in various servers.

How to disable weak SSH ciphers in Linux

Let’s now take a deep look into how our Engineers the weak algorithms. This can be done either at the server side or at the client-side.
Initially, we execute the following command within the system that we want to verify:

sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"

For example, the above command can show output as given below:

gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
macs hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

disable SSH weak

Ensuring some compliance is mandatory and fundamental in any organization that accepts, transmits or stores any cardholder data, regardless of the size or number of transactions. SSH-enabled access to critical systems and data is a vital factor in gaining and remaining compliant vendor.

so I have disable all diffie on /etc/ssh/sshd_config

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

At last, to make the changes effective in SSH, we restart sshd service

service sshd restart

That’s it!


Leave a Reply

Your email address will not be published.

ten + 20 =