On CentOS 7 I put the following at the end of ssh
KexAlgorithms
curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256
I believe that prevents the CBC ciphers from being used.
CentOS 6 I *think* does not support curve25519 so that one may not be an
option for CentOS 6. That really should be patched in CentOS 5 and 6.
For the DH key exchange, I generate custom 2048 and 4096 DH keys
pushd /etc/ssh
ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates
ssh-keygen -G moduli-4096.candidates -b 4096
ssh-keygen -T moduli-4096 -f moduli-4096.candidates
cp moduli moduli-backup
cat moduli-2048 moduli-4096 > moduli
systemctl restart sshd.service
On 10/18/2016 03:28 PM, Clint Dilks wrote:
Hi,
In a recent security review some systems I manage were flagged due to
supporting "weak" ciphers, specifically the ones listed below. So first
question is are people generally modifying the list of ciphers supported by
the ssh client and sshd?
On CentOS 6 currently it looks like if I remove all the ciphers they are
concerned about then I am left with Ciphers
aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
/etc/ssh/ssh_config. Is just using these three ciphers like to cause me
any problems? Could having so few ciphers be creating a security concern
itself?
Thanks
The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-cbc@xxxxxxxxxxxxxx
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-cbc@xxxxxxxxxxxxxx
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
