On CentOS 7 I put the following at the end of ssh
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
I believe that prevents the CBC ciphers from being used.
CentOS 6 I *think* does not support curve25519 so that one may not be an option for CentOS 6. That really should be patched in CentOS 5 and 6.
For the DH key exchange, I generate custom 2048 and 4096 DH keys
pushd /etc/ssh ssh-keygen -G moduli-2048.candidates -b 2048 ssh-keygen -T moduli-2048 -f moduli-2048.candidates ssh-keygen -G moduli-4096.candidates -b 4096 ssh-keygen -T moduli-4096 -f moduli-4096.candidates
cp moduli moduli-backup cat moduli-2048 moduli-4096 > moduli
systemctl restart sshd.service
On 10/18/2016 03:28 PM, Clint Dilks wrote:
Hi,
In a recent security review some systems I manage were flagged due to supporting "weak" ciphers, specifically the ones listed below. So first question is are people generally modifying the list of ciphers supported by the ssh client and sshd?
On CentOS 6 currently it looks like if I remove all the ciphers they are concerned about then I am left with Ciphers aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and /etc/ssh/ssh_config. Is just using these three ciphers like to cause me any problems? Could having so few ciphers be creating a security concern itself?
Thanks
The following weak client-to-server encryption algorithms are supported by the remote service: rijndael-cbc@lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc
The following weak server-to-client encryption algorithms are supported by the remote service: rijndael-cbc@lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos