• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Disable Weak Cipher And Insecure HMAC Algorithms In SSH Services In CentOS/RHEL 8

by admin

Question: How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services in CentOS/RHEL 8?

In order to disable weak Ciphers and insecure HMAC algorithms in ssh services in CentOS/RHEL 8 please follow the instructions bellow:

1. Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY line:

Before:

# CRYPTO_POLICY=[Original value]

After:

CRYPTO_POLICY=[New value]

2. Make sure correct Ciphers, MACs and KexAlgorithms have been added to /etc/ssh/sshd_config file.

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

3. Restart sshd service:

# systemctl restart sshd

4. To test if weak CBC Ciphers are enabled, run the below command:

# ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [@IP of your Server]

If successful, it will prompt for a password. This means weak ciphers are enabled.

If it fails, you should receive a message like this:

Unable to negotiate with  port 22: no matching cipher found. Their offer: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr

This means the mitigations are working properly.

5. To test if weak HMAC algorithms are enabled, run the below command:

# ssh -vv -oMACs=hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com [@IP of your Server]
How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services for CentOS/RHEL 6 and 7

Filed Under: CentOS/RHEL, CentOS/RHEL 8, Linux

Some more articles you might also be interested in …

  1. Understanding OS load average and run queue/blocked queue in terms of CPU utilization in Linux
  2. initctl Command Examples in Linux
  3. pwck Command Examples in Linux
  4. gbp: command not found
  5. Issue Opening a Firewalld Port in CentOS/RHEL 8
  6. BTRFS: too many missing devices, writeable mount is not allowed
  7. pmap: command not found
  8. lslocks: command not found
  9. ffuf Command Examples in Linux
  10. LVM Commands Fail With “Failed to load config file /etc/lvm/lvm.conf”

You May Also Like

Primary Sidebar

Recent Posts

  • protonvpn-cli Command Examples in Linux
  • protonvpn-cli connect Command Examples
  • procs Command Examples in Linux
  • prlimit: command not found

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright