• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services for CentOS/RHEL 6 and 7

by admin

This post will show how to Disable the HMAC MD5 and the CBC ciphers as an example for CentOS/RHEL 6 and 7.

For CentOS/RHEL 7

For more information please look at the man pages:

# man sshd_config

Ciphers

Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them.

The supported ciphers are:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com

The default is:

chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,aes192-cbc,aes256-cbc,
blowfish-cbc,cast128-cbc,3des-cbc

The list of available ciphers may also be obtained using “ssh -Q cipher”. For example:

# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

In order to disable the CBC ciphers please update the /etc/ssh/sshd_config with the Ciphers that are required except the CBC ciphers.

To Disable CBC:

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

Restart the sshd service after the changes have been made.

# systemctl restart sshd

MACs

MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them.

The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are:

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

The default is:

umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-sha1,
hmac-sha1-etm@openssh.com

The list of available MAC algorithms may also be obtained using “ssh -Q mac”. For example:

# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

In order to disable the hmac-md5 MACs algorithms please update the /etc/ssh/sshd_config with the Macs that are required except the hmac-md5 for ecample:

MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

Restart the sshd service after the changes have been made.

# systemctl restart sshd

For CentOS/RHEL 6

In CentOS/RHEL 6 the commands to list the available ciphers and MACs are “sshd -T | grep ciphers | perl -pe ‘s/,/\n/g’ | sort -u” and “nmap -vv –script=ssh2-enum-algos.nse -p 22 localhost”:

# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
nmap -vv --script=ssh2-enum-algos.nse -p 22 localhost

For more information please look at the man pages:

# man sshd_config

Ciphers

Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
arcfour128
arcfour256
arcfour
blowfish-cbc
rijndael-cbc@lysator.liu.se
cast128-cbc

The default is:

aes128-ctr
aes192-ctr
aes256-ctr
arcfour256
arcfour128
aes128-cbc
3des-cbc
blowfish-cbc
cast128-cbc
aes192-cbc
aes256-cbc
arcfour
rijndael-cbc@lysator.liu.se

In order to disable the CBC ciphers please update the /etc/ssh/sshd_config with the Ciphers that are required except the CBC ciphers.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

Restart the sshd service after the changes have been made.

# service sshd restart

MACs

MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is:

hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

In order to disable the hmac-md5 MACs algorithms please update the /etc/ssh/sshd_config with the Macs that are required except the hmac-md5 for ecample:

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

Restart the sshd service after the changes have been made:

# service sshd restart
How To Disable Weak Cipher And Insecure HMAC Algorithms In SSH Services In CentOS/RHEL 8

Filed Under: CentOS/RHEL, CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How to enable or disable service on boot with chkconfig
  2. Examples of using tcpdump command for network troubleshooting
  3. gcov: command not found
  4. How to Enable Remote Desktop to Share the Current Desktop Session in CentOS/RHEL 7
  5. rename: command not found
  6. Bind to port 22 on 0.0.0.0 failed: address already in use – error while starting sshd service CentOS/RHEL
  7. How to Access VNC Server Through A Web Browser in CentOS/RHEL
  8. locale: command not found
  9. How to backup Linux OS using “dd” Command
  10. dolphin Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright