Tuesday, November 29, 2022
Google search engine
HomeLinux TutorialsHow to disable weak SSH ciphers in Linux

How to disable weak SSH ciphers in Linux

To connect to remote computers, SSH is a standard protocol. Evidently, OpenSSH also has become a popular essential tool on Linux, BSD’s, OS X, and Windows. this below tutorial How to disable weak SSH ciphers in Linux

However, older OpenSSH installations may not support strong ciphers or protocols. As a result, new OpenSSH installations often enable relatively weak ciphers/protocols ensuring backward-compatibility with older clients.

Cipher is a set of procedures for performing encryption or decryption of data with SSH protocol.

The data transfer is dependable on Cipher set. By default, most server administrators always disable weak algorithms and only allow stronger ones. As a result, this leads to a mismatch in SSL ciphers in various servers.

How to disable weak SSH ciphers in Linux

Let’s now take a deep look into how our Engineers the weak algorithms. This can be done either at the server side or at the client-side.
Initially, we execute the following command within the system that we want to verify:

sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"

For example, the above command can show output as given below:

gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
macs hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

disable SSH weak

Ensuring some compliance is mandatory and fundamental in any organization that accepts, transmits or stores any cardholder data, regardless of the size or number of transactions. SSH-enabled access to critical systems and data is a vital factor in gaining and remaining compliant vendor.

so I have disable all diffie on /etc/ssh/sshd_config

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

At last, to make the changes effective in SSH, we restart sshd service

service sshd restart

That’s it!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online. to search or browse the published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or more ) as a token of appreciation.

Support Us

System & Network Administrator Ninja


Please enter your comment!
Please enter your name here

18 + four =

- Advertisment -
Google search engine

Most Popular

Recent Comments