Solved

Linux SSH Config: Removing ciphers and MACs

Posted on 2014-01-13
7
6,847 Views
Last Modified: 2014-01-19
Hi, I need to remove CBC ciphers and the following MACs...
 - hmac-md5
 - hmac-md5-96
 - hmac-sha1-96
I edited my "/etc/ssh/ssh_config" by changing...
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Open in new window

to...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

Open in new window

and...
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Open in new window

to...
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Open in new window

Then I restarted sshd by executing the following command...
service sshd restart

Open in new window

It shows...
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

Open in new window

But a server scan still shows that the cipher and MACs are still supported.
How do I remove the cipher and MACs correctly?
Thanks!
0
Comment
Question by:killdurst
  • 3
  • 3
7 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
ID: 39780290
Supported or allowed?
0
 
LVL 28

Expert Comment

by:serialband
ID: 39780386
In case you didn't make a typo, /etc/ssh/ssh_config is used by the ssh client.  You should be editing /etc/ssh/sshd_config and then restarting the server. (note the extra d )
0
 
LVL 1

Author Comment

by:killdurst
ID: 39781251
By supported, I mean allowed.

So I can just copy and paste the two lines from ssh_config to sshd_config right?
Restarting the server is not at option at this point actually.
Can I just restart the sshd service?
Thanks!
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 28

Accepted Solution

by:
serialband earned 375 total points
ID: 39782887
Yes, copy the lines to sshd_config.  You can restart just the sshd service without affecting already connected users.  Those users remain on the older configuration untill they disconnect, and new user connections use the new settings.
0
 
LVL 1

Author Comment

by:killdurst
ID: 39784383
Ok, I think the changes took effect after I restarted the service cos now I can't SSH in to the server.
I'm getting a "Algorithm negotiation failed".
I'm using SSH Secure Shell to remote in.
When logging in, I tried the following encryption / MAC algorithm combinations...
AES 128 / HMAC-MD5
AES 128 / HMAC-SHA1
AES 192 / HMAC-MD5
AES 192 / HMAC-SHA1
AES 256 / HMAC-MD5
AES 256 / HMAC-SHA1
Arcfour 128 / HMAC-MD5
Arcfour 128 / HMAC-SHA1

Arcfour 256 is not listed as an option.

I can still log in using Putty though... and I can also modify the sshd_config and restart the service using the web console.

Just wondering why I can't ssh in using secure shell...

Thanks...
0
 
LVL 28

Expert Comment

by:serialband
ID: 39785581
Did you edit the client configuraton, ssh_config to include Arcfour 256?
0
 
LVL 1

Author Comment

by:killdurst
ID: 39793156
Actually I've commented back the Ciphers and the MACs lines in ssh_config.

Anyway, I've decided to stick to using Putty for the command line interface and Filezilla for FTP from now onwards.

Thanks for your help regarding the tip to edit sshd_config.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Choosing CentOS 16 81
expectj telnet failing 5 36
Ubuntu Apache Webserver - File Permissions 5 42
ignore other .htaccess 2 45
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question