Linux SSH Config: Removing ciphers and MACs

Hi, I need to remove CBC ciphers and the following MACs...
 - hmac-md5
 - hmac-md5-96
 - hmac-sha1-96
I edited my "/etc/ssh/ssh_config" by changing...
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Open in new window

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

Open in new window

# MACs hmac-md5,hmac-sha1,,hmac-ripemd160

Open in new window

MACs hmac-sha1,,hmac-ripemd160

Open in new window

Then I restarted sshd by executing the following command...
service sshd restart

Open in new window

It shows...
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

Open in new window

But a server scan still shows that the cipher and MACs are still supported.
How do I remove the cipher and MACs correctly?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
Supported or allowed?
In case you didn't make a typo, /etc/ssh/ssh_config is used by the ssh client.  You should be editing /etc/ssh/sshd_config and then restarting the server. (note the extra d )
killdurstAuthor Commented:
By supported, I mean allowed.

So I can just copy and paste the two lines from ssh_config to sshd_config right?
Restarting the server is not at option at this point actually.
Can I just restart the sshd service?
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Yes, copy the lines to sshd_config.  You can restart just the sshd service without affecting already connected users.  Those users remain on the older configuration untill they disconnect, and new user connections use the new settings.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
killdurstAuthor Commented:
Ok, I think the changes took effect after I restarted the service cos now I can't SSH in to the server.
I'm getting a "Algorithm negotiation failed".
I'm using SSH Secure Shell to remote in.
When logging in, I tried the following encryption / MAC algorithm combinations...
AES 128 / HMAC-MD5
AES 192 / HMAC-MD5
AES 256 / HMAC-MD5
Arcfour 128 / HMAC-MD5
Arcfour 128 / HMAC-SHA1

Arcfour 256 is not listed as an option.

I can still log in using Putty though... and I can also modify the sshd_config and restart the service using the web console.

Just wondering why I can't ssh in using secure shell...

Did you edit the client configuraton, ssh_config to include Arcfour 256?
killdurstAuthor Commented:
Actually I've commented back the Ciphers and the MACs lines in ssh_config.

Anyway, I've decided to stick to using Putty for the command line interface and Filezilla for FTP from now onwards.

Thanks for your help regarding the tip to edit sshd_config.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.