On CentOS 7 I put the following at the end of ssh KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256 I believe that prevents the CBC ciphers from being used. CentOS 6 I *think* does not support curve25519 so that one may not be an option for CentOS 6. That really should be patched in CentOS 5 and 6. For the DH key exchange, I generate custom 2048 and 4096 DH keys pushd /etc/ssh ssh-keygen -G moduli-2048.candidates -b 2048 ssh-keygen -T moduli-2048 -f moduli-2048.candidates ssh-keygen -G moduli-4096.candidates -b 4096 ssh-keygen -T moduli-4096 -f moduli-4096.candidates cp moduli moduli-backup cat moduli-2048 moduli-4096 > moduli systemctl restart sshd.service On 10/18/2016 03:28 PM, Clint Dilks wrote: > Hi, > > In a recent security review some systems I manage were flagged due to > supporting "weak" ciphers, specifically the ones listed below. So first > question is are people generally modifying the list of ciphers supported by > the ssh client and sshd? > > On CentOS 6 currently it looks like if I remove all the ciphers they are > concerned about then I am left with Ciphers > aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and > /etc/ssh/ssh_config. Is just using these three ciphers like to cause me > any problems? Could having so few ciphers be creating a security concern > itself? > > Thanks > > > > The following weak client-to-server encryption algorithms are supported by > the remote service: > rijndael-cbc at lysator.liu.se > arcfour256 > arcfour128 > aes256-cbc > 3des-cbc > aes192-cbc > blowfish-cbc > cast128-cbc > arcfour > aes128-cbc > > The following weak server-to-client encryption algorithms are supported by > the remote service: > rijndael-cbc at lysator.liu.se > arcfour256 > arcfour128 > aes256-cbc > 3des-cbc > aes192-cbc > blowfish-cbc > cast128-cbc > arcfour > aes128-cbc > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >