killdurst
asked on
Linux SSH Config: Removing ciphers and MACs
Hi, I need to remove CBC ciphers and the following MACs...
- hmac-md5
- hmac-md5-96
- hmac-sha1-96
I edited my "/etc/ssh/ssh_config" by changing...
How do I remove the cipher and MACs correctly?
Thanks!
- hmac-md5
- hmac-md5-96
- hmac-sha1-96
I edited my "/etc/ssh/ssh_config" by changing...
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
to...Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
and...# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
to...MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
Then I restarted sshd by executing the following command...service sshd restart
It shows...Stopping sshd: [ OK ]
Starting sshd: [ OK ]
But a server scan still shows that the cipher and MACs are still supported.How do I remove the cipher and MACs correctly?
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In case you didn't make a typo, /etc/ssh/ssh_config is used by the ssh client. You should be editing /etc/ssh/sshd_config and then restarting the server. (note the extra d )
ASKER
By supported, I mean allowed.
So I can just copy and paste the two lines from ssh_config to sshd_config right?
Restarting the server is not at option at this point actually.
Can I just restart the sshd service?
Thanks!
So I can just copy and paste the two lines from ssh_config to sshd_config right?
Restarting the server is not at option at this point actually.
Can I just restart the sshd service?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I think the changes took effect after I restarted the service cos now I can't SSH in to the server.
I'm getting a "Algorithm negotiation failed".
I'm using SSH Secure Shell to remote in.
When logging in, I tried the following encryption / MAC algorithm combinations...
AES 128 / HMAC-MD5
AES 128 / HMAC-SHA1
AES 192 / HMAC-MD5
AES 192 / HMAC-SHA1
AES 256 / HMAC-MD5
AES 256 / HMAC-SHA1
Arcfour 128 / HMAC-MD5
Arcfour 128 / HMAC-SHA1
Arcfour 256 is not listed as an option.
I can still log in using Putty though... and I can also modify the sshd_config and restart the service using the web console.
Just wondering why I can't ssh in using secure shell...
Thanks...
I'm getting a "Algorithm negotiation failed".
I'm using SSH Secure Shell to remote in.
When logging in, I tried the following encryption / MAC algorithm combinations...
AES 128 / HMAC-MD5
AES 128 / HMAC-SHA1
AES 192 / HMAC-MD5
AES 192 / HMAC-SHA1
AES 256 / HMAC-MD5
AES 256 / HMAC-SHA1
Arcfour 128 / HMAC-MD5
Arcfour 128 / HMAC-SHA1
Arcfour 256 is not listed as an option.
I can still log in using Putty though... and I can also modify the sshd_config and restart the service using the web console.
Just wondering why I can't ssh in using secure shell...
Thanks...
Did you edit the client configuraton, ssh_config to include Arcfour 256?
ASKER
Actually I've commented back the Ciphers and the MACs lines in ssh_config.
Anyway, I've decided to stick to using Putty for the command line interface and Filezilla for FTP from now onwards.
Thanks for your help regarding the tip to edit sshd_config.
Anyway, I've decided to stick to using Putty for the command line interface and Filezilla for FTP from now onwards.
Thanks for your help regarding the tip to edit sshd_config.