On CentOS 7 I put the following at the end of ssh

KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256


I believe that prevents the CBC ciphers from being used.

CentOS 6 I *think* does not support curve25519 so that one may not be an option for CentOS 6. That really should be patched in CentOS 5 and 6.

For the DH key exchange, I generate custom 2048 and 4096 DH keys

pushd /etc/ssh
ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates
ssh-keygen -G moduli-4096.candidates -b 4096
ssh-keygen -T moduli-4096 -f moduli-4096.candidates

cp moduli moduli-backup
cat moduli-2048 moduli-4096 > moduli

systemctl restart sshd.service


On 10/18/2016 03:28 PM, Clint Dilks wrote:
Hi,

In a recent security review some systems I manage were flagged due to
supporting "weak" ciphers, specifically the ones listed below.  So first
question is are people generally modifying the list of ciphers supported by
the ssh client and sshd?

On CentOS 6 currently it looks like if I remove all the ciphers they are
concerned about then I am left with Ciphers
aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
/etc/ssh/ssh_config.  Is just using these three ciphers like to cause me
any problems?  Could having so few ciphers be creating a security concern
itself?

Thanks



The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-...@lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc

The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-...@lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Reply via email to