Question: How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services in CentOS/RHEL 8?
In order to disable weak Ciphers and insecure HMAC algorithms in ssh services in CentOS/RHEL 8 please follow the instructions bellow:
1. Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY line:
Before:
# CRYPTO_POLICY=[Original value]
After:
CRYPTO_POLICY=[New value]
2. Make sure correct Ciphers, MACs and KexAlgorithms have been added to /etc/ssh/sshd_config file.
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
3. Restart sshd service:
# systemctl restart sshd
4. To test if weak CBC Ciphers are enabled, run the below command:
# ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [@IP of your Server]
If successful, it will prompt for a password. This means weak ciphers are enabled.
If it fails, you should receive a message like this:
Unable to negotiate withport 22: no matching cipher found. Their offer: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
This means the mitigations are working properly.
5. To test if weak HMAC algorithms are enabled, run the below command:
# ssh -vv -oMACs=hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com [@IP of your Server]