Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Linux SSH Config: Removing ciphers and MACs

Posted on 2014-01-13
7
6,948 Views
Last Modified: 2014-01-19
Hi, I need to remove CBC ciphers and the following MACs...
 - hmac-md5
 - hmac-md5-96
 - hmac-sha1-96
I edited my "/etc/ssh/ssh_config" by changing...
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Open in new window

to...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

Open in new window

and...
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Open in new window

to...
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Open in new window

Then I restarted sshd by executing the following command...
service sshd restart

Open in new window

It shows...
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

Open in new window

But a server scan still shows that the cipher and MACs are still supported.
How do I remove the cipher and MACs correctly?
Thanks!
0
Comment
Question by:killdurst
  • 3
  • 3
7 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
ID: 39780290
Supported or allowed?
0
 
LVL 29

Expert Comment

by:serialband
ID: 39780386
In case you didn't make a typo, /etc/ssh/ssh_config is used by the ssh client.  You should be editing /etc/ssh/sshd_config and then restarting the server. (note the extra d )
0
 
LVL 1

Author Comment

by:killdurst
ID: 39781251
By supported, I mean allowed.

So I can just copy and paste the two lines from ssh_config to sshd_config right?
Restarting the server is not at option at this point actually.
Can I just restart the sshd service?
Thanks!
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 29

Accepted Solution

by:
serialband earned 375 total points
ID: 39782887
Yes, copy the lines to sshd_config.  You can restart just the sshd service without affecting already connected users.  Those users remain on the older configuration untill they disconnect, and new user connections use the new settings.
0
 
LVL 1

Author Comment

by:killdurst
ID: 39784383
Ok, I think the changes took effect after I restarted the service cos now I can't SSH in to the server.
I'm getting a "Algorithm negotiation failed".
I'm using SSH Secure Shell to remote in.
When logging in, I tried the following encryption / MAC algorithm combinations...
AES 128 / HMAC-MD5
AES 128 / HMAC-SHA1
AES 192 / HMAC-MD5
AES 192 / HMAC-SHA1
AES 256 / HMAC-MD5
AES 256 / HMAC-SHA1
Arcfour 128 / HMAC-MD5
Arcfour 128 / HMAC-SHA1

Arcfour 256 is not listed as an option.

I can still log in using Putty though... and I can also modify the sshd_config and restart the service using the web console.

Just wondering why I can't ssh in using secure shell...

Thanks...
0
 
LVL 29

Expert Comment

by:serialband
ID: 39785581
Did you edit the client configuraton, ssh_config to include Arcfour 256?
0
 
LVL 1

Author Comment

by:killdurst
ID: 39793156
Actually I've commented back the Ciphers and the MACs lines in ssh_config.

Anyway, I've decided to stick to using Putty for the command line interface and Filezilla for FTP from now onwards.

Thanks for your help regarding the tip to edit sshd_config.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question