Securing SSH and SSHD with ciphers

Overview

This article outlines the security configurations for SSH (Secure Shell) and SSHD (SSH Daemon) to ensure the use of ciphers, in compliance with seclevel=2. It details the allowed Message Authentication Codes (MACs) and ciphers and provides instructions for disabling weak ciphers. The minimum TLS Version is TLS 1.2. For the OpenSSH specifications, see OpenSSH: Specifications

Allowed MACs

The following MACs are permitted for SSH and SSHD:

Disallowed ciphers

The following cipher is disallowed:

Customizing ciphers

You can remove any ciphers from the sshd_config file for any reason.

Configuration file

The following configuration is for the SSH server (SSHD).

The relevant section in /etc/ssh/sshd_config will appear something like this:

# Message Authentication Codes

macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

# Ciphers

ciphers -chacha20-poly1305@openssh.com

# Specify allowed host key algorithms

HostKeyAlgorithms ssh-rsa,ssh-ed25519

In this example, only RSA and ED25519 host key algorithms are allowed. You can customize the list based on your security requirements and preferences.

Make sure to restart the SSHD service after making changes to the configuration file for the changes to take effect:

sudo systemctl restart sshd

Verifying SSHD configuration changes

To verify whether the modification to the SSHD configuration file successfully disabled the ssh-rsa algorithm, follow these steps:

1. Check for existing configuration: Open the SSHD configuration file (/etc/ssh/sshd_config) and ensure that the HostKeyAlgorithms parameter includes only secure algorithms such as ssh-ed25519. If this parameter is not present, or if ssh-rsa is still included, proceed to the next steps to modify the configuration.

2. Modify the SSHD configuration: If necessary, add or modify the HostKeyAlgorithms parameter in the SSHD configuration file to include only secure algorithms such as ssh-ed25519. You can add this parameter to the bottom of the file on a new line if it's not already present.

3. Restart SSHD service: After making the modification, restart the SSHD service to apply the changes:

sudo systemctl restart sshd

4. Test SSH connection: Use an external SSH client to attempt an SSH connection to the server in question. You can specify the -o option to enforce the use of a specific algorithm:

ssh -o HostKeyAlgorithms=ssh-rsa user@hostname

5. Observe the connection outcome: If the SSH connection is denied or fails, it indicates that the ssh-rsa algorithm has been successfully disabled.

6. Verify SSHD configuration: Additionally, you can verify the SSHD configuration settings using the sshd -T command:

sshd -T | grep -i hostkeyalgorithms

Ensure that the output reflects the updated HostKeyAlgorithms setting without the ssh-rsa option.

Modifying the configuration

To add or remove a cipher:

  1. Open the sshd_config file in a text editor.
  2. Locate the ciphers or macs directive.
  3. Remove the cipher from the list or add a new one.
  4. Save the file.
  5. Restart the SSHD service or reboot the appliance.

Additional resources

To learn how to disable weak SSH ciphers for Linux VMs, see How to disable weak SSH ciphers for Linux VMs.