?
Solved

Linux SSH Config: Removing ciphers and MACs

Posted on 2014-01-13
7
Medium Priority
?
7,523 Views
Last Modified: 2014-01-19
Hi, I need to remove CBC ciphers and the following MACs...
 - hmac-md5
 - hmac-md5-96
 - hmac-sha1-96
I edited my "/etc/ssh/ssh_config" by changing...
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Open in new window

to...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

Open in new window

and...
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Open in new window

to...
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Open in new window

Then I restarted sshd by executing the following command...
service sshd restart

Open in new window

It shows...
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

Open in new window

But a server scan still shows that the cipher and MACs are still supported.
How do I remove the cipher and MACs correctly?
Thanks!
0
Comment
Question by:killdurst
  • 3
  • 3
7 Comments
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
ID: 39780290
Supported or allowed?
0
 
LVL 31

Expert Comment

by:serialband
ID: 39780386
In case you didn't make a typo, /etc/ssh/ssh_config is used by the ssh client.  You should be editing /etc/ssh/sshd_config and then restarting the server. (note the extra d )
0
 
LVL 1

Author Comment

by:killdurst
ID: 39781251
By supported, I mean allowed.

So I can just copy and paste the two lines from ssh_config to sshd_config right?
Restarting the server is not at option at this point actually.
Can I just restart the sshd service?
Thanks!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 31

Accepted Solution

by:
serialband earned 1500 total points
ID: 39782887
Yes, copy the lines to sshd_config.  You can restart just the sshd service without affecting already connected users.  Those users remain on the older configuration untill they disconnect, and new user connections use the new settings.
0
 
LVL 1

Author Comment

by:killdurst
ID: 39784383
Ok, I think the changes took effect after I restarted the service cos now I can't SSH in to the server.
I'm getting a "Algorithm negotiation failed".
I'm using SSH Secure Shell to remote in.
When logging in, I tried the following encryption / MAC algorithm combinations...
AES 128 / HMAC-MD5
AES 128 / HMAC-SHA1
AES 192 / HMAC-MD5
AES 192 / HMAC-SHA1
AES 256 / HMAC-MD5
AES 256 / HMAC-SHA1
Arcfour 128 / HMAC-MD5
Arcfour 128 / HMAC-SHA1

Arcfour 256 is not listed as an option.

I can still log in using Putty though... and I can also modify the sshd_config and restart the service using the web console.

Just wondering why I can't ssh in using secure shell...

Thanks...
0
 
LVL 31

Expert Comment

by:serialband
ID: 39785581
Did you edit the client configuraton, ssh_config to include Arcfour 256?
0
 
LVL 1

Author Comment

by:killdurst
ID: 39793156
Actually I've commented back the Ciphers and the MACs lines in ssh_config.

Anyway, I've decided to stick to using Putty for the command line interface and Filezilla for FTP from now onwards.

Thanks for your help regarding the tip to edit sshd_config.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month17 days, 8 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question