[CentOS] SSH Weak Ciphers

Tue Oct 18 22:42:26 UTC 2016
Alice Wonder <alice at domblogger.net>

On CentOS 7 I put the following at the end of ssh

KexAlgorithms 
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256

I believe that prevents the CBC ciphers from being used.

CentOS 6 I *think* does not support curve25519 so that one may not be an 
option for CentOS 6. That really should be patched in CentOS 5 and 6.

For the DH key exchange, I generate custom 2048 and 4096 DH keys

pushd /etc/ssh
ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates
ssh-keygen -G moduli-4096.candidates -b 4096
ssh-keygen -T moduli-4096 -f moduli-4096.candidates

cp moduli moduli-backup
cat moduli-2048 moduli-4096 > moduli

systemctl restart sshd.service


On 10/18/2016 03:28 PM, Clint Dilks wrote:
> Hi,
>
> In a recent security review some systems I manage were flagged due to
> supporting "weak" ciphers, specifically the ones listed below.  So first
> question is are people generally modifying the list of ciphers supported by
> the ssh client and sshd?
>
> On CentOS 6 currently it looks like if I remove all the ciphers they are
> concerned about then I am left with Ciphers
> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
> /etc/ssh/ssh_config.  Is just using these three ciphers like to cause me
> any problems?  Could having so few ciphers be creating a security concern
> itself?
>
> Thanks
>
>
>
> The following weak client-to-server encryption algorithms are supported by
> the remote service:
> rijndael-cbc at lysator.liu.se
> arcfour256
> arcfour128
> aes256-cbc
> 3des-cbc
> aes192-cbc
> blowfish-cbc
> cast128-cbc
> arcfour
> aes128-cbc
>
> The following weak server-to-client encryption algorithms are supported by
> the remote service:
> rijndael-cbc at lysator.liu.se
> arcfour256
> arcfour128
> aes256-cbc
> 3des-cbc
> aes192-cbc
> blowfish-cbc
> cast128-cbc
> arcfour
> aes128-cbc
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>