SSH

RedHat 6/7

unix# cd /etc/ssh
unix# vi sshd_config
...
# restrict ciphers to exclude arcfour and more
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
...
unix# service sshd restart
unix#
unix# ssh -vv -oCiphers=aes128-cbc,aes256-cbc 127.0.0.1 # Test it

RedHat 8

     ### Rev. https://www.redhat.com/en/blog/configuring-rhel-8-compliance-crypto-policy-related-cipher-block-chaining 



unix# vi /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
...
ssh_cipher = -AES-128-CBC -AES-256-CBC -CAMELLIA-256-CBC -CAMELLIA-128-CBC (deprecated)
cipher@ssh = -AES-128-CBC -AES-256-CBC -CAMELLIA-256-CBC -CAMELLIA-128-CBC (REL 8.5)
...
unix# update-crypto-policies --set DEFAULT:DISABLE-CBC
unix# update-crypto-policies --show
unix# service sshd restart
unix#
unix# ssh -vv -oCiphers=aes128-cbc,aes256-cbc 127.0.0.1 # Test it

1 comments on «SSH»

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Recent Comments

Archives

Categories