- Overview
- Allowed MACs
- Disallowed ciphers
- Customizing ciphers
- Configuration file
- Verifying SSHD configuration changes
- Modifying the configuration
Overview
This article outlines the security configurations for SSH (Secure Shell) and SSHD (SSH Daemon) to ensure the use of ciphers, in compliance with seclevel=2. It details the allowed Message Authentication Codes (MACs) and ciphers and provides instructions for disabling weak ciphers. The minimum TLS Version is TLS 1.2. For the OpenSSH specifications, see OpenSSH: Specifications.
Allowed MACs
The following MACs are permitted for SSH and SSHD:
- umac-128-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- umac-128@openssh.com
- hmac-sha2-256
- hmac-sha2-512
Disallowed ciphers
The following cipher is disallowed:
- chacha20-poly1305@openssh.com (due to the Terrapin vulnerability)
Customizing ciphers
You can remove any ciphers from the sshd_config file for any reason.
Configuration file
The following configuration is for the SSH server (SSHD).
The relevant section in /etc/ssh/sshd_config will appear something like this:
# Message Authentication Codes
macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
# Ciphers
ciphers -chacha20-poly1305@openssh.com
# Specify allowed host key algorithms
HostKeyAlgorithms ssh-rsa,ssh-ed25519
In this example, only RSA and ED25519 host key algorithms are allowed. You can customize the list based on your security requirements and preferences.
Make sure to restart the SSHD service after making changes to the configuration file for the changes to take effect:
sudo systemctl restart sshd
Verifying SSHD configuration changes
To verify whether the modification to the SSHD configuration file successfully disabled the ssh-rsa algorithm, follow these steps:
1. Check for existing configuration: Open the SSHD configuration file (/etc/ssh/sshd_config) and ensure that the HostKeyAlgorithms parameter includes only secure algorithms such as ssh-ed25519. If this parameter is not present, or if ssh-rsa is still included, proceed to the next steps to modify the configuration.
2. Modify the SSHD configuration: If necessary, add or modify the HostKeyAlgorithms parameter in the SSHD configuration file to include only secure algorithms such as ssh-ed25519. You can add this parameter to the bottom of the file on a new line if it's not already present.
3. Restart SSHD service: After making the modification, restart the SSHD service to apply the changes:
sudo systemctl restart sshd
4. Test SSH connection: Use an external SSH client to attempt an SSH connection to the server in question. You can specify the -o option to enforce the use of a specific algorithm:
ssh -o HostKeyAlgorithms=ssh-rsa user@hostname
5. Observe the connection outcome: If the SSH connection is denied or fails, it indicates that the ssh-rsa algorithm has been successfully disabled.
6. Verify SSHD configuration: Additionally, you can verify the SSHD configuration settings using the sshd -T command:
sshd -T | grep -i hostkeyalgorithms
Ensure that the output reflects the updated HostKeyAlgorithms setting without the ssh-rsa option.
Modifying the configuration
To add or remove a cipher:
- Open the sshd_config file in a text editor.
- Locate the ciphers or macs directive.
- Remove the cipher from the list or add a new one.
- Save the file.
- Restart the SSHD service or reboot the appliance.
Additional resources
To learn how to disable weak SSH ciphers for Linux VMs, see How to disable weak SSH ciphers for Linux VMs.