Re: How to Remove Ciphers in SSH

Wed, 01 Jun 2022 09:32:16 -0700 

On 6/1/22 8:36 AM, Gilson Cesar de Oliveira wrote:

Hi list,


Hi,


I´m facing an issue related to remove ciphers from SSH configuration.


Oy vey.


When you execute ssh -Q cipher I can see the list with the ciphers 
and I´d like to remove some of them


From my understanding all I have to do is the following:


Include the Ciphers statement with the “-“ at the beginning of 
the cipher name and it´ll to be removed from the default set.


Ciphers -3des-cbc,--aes128-cbc



Maybe it's a little different on the mainframe, but I'm useed to 
something like the following on Open Systems:



   % ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 
[email protected]



You'd want to use a "-" in place of the "+" to remove something.  -- 
I'm adding something to make a new client talk to something old.  -- 
You'd probably also want to use "Ciphers" in place of "KeyAlgorithms".



One important bit is the "-o ..." parameter as it's how you tell the ssh 
client that you are providing options that don't have their own / bare 
command line options.


The ssh_config manual page has a lot more details.


You can also put the "KexAlgorithms=+diffie-hellman-group-exchange-sha1" 
in a "Host ..." section in the client ssh config file (individual 
~/.ssh/config or system wide /etc/ssh/ssh_config)



No errors when starting the SSHD but when I type ssh -Q cipher I 
still viewing those which I´ve included to be removed.



I'm not surprised that asking SSH what it supports is listing 
everything.  I'd expect it to be more of a what's compiled into the 
client verses what's enabled.



We are at z/OS V2R4 and OPENSSH is at version 7.6 that comes with 
the z/OS version.


If anyone could give some light I´ll really appreciate that.



I'd suggest that you skim the OpenSSH Legacy Options page as it has more 
details on this and is probably the opposite end of the candle that 
you're working on and can easily be adapted to influence things for you.


Link - OpenSSH Legacy Options
 - https://www.openssh.com/legacy.html



--
Grant. . . .
unix || die

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to