[CentOS] SSH Weak Ciphers

Tue Oct 18 22:28:32 UTC 2016
Clint Dilks <clintd at waikato.ac.nz>

Hi,

In a recent security review some systems I manage were flagged due to
supporting "weak" ciphers, specifically the ones listed below.  So first
question is are people generally modifying the list of ciphers supported by
the ssh client and sshd?

On CentOS 6 currently it looks like if I remove all the ciphers they are
concerned about then I am left with Ciphers
aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
/etc/ssh/ssh_config.  Is just using these three ciphers like to cause me
any problems?  Could having so few ciphers be creating a security concern
itself?

Thanks



The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc

The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc