On Wed, Jun 01, 2022 at 10:32:22AM -0600, Grant Taylor wrote: > On 6/1/22 8:36 AM, Gilson Cesar de Oliveira wrote: > > Hi list, > > Hi, > > > I´m facing an issue related to remove ciphers from SSH configuration. > > Oy vey. > > > When you execute ssh -Q cipher I can see the list with the ciphers and > > I´d like to remove some of them > > > > From my understanding all I have to do is the following: > > > > Include the Ciphers statement with the “-“ at the beginning of the > > cipher name and it´ll to be removed from the default set. > > > > Ciphers -3des-cbc,--aes128-cbc > > Maybe it's a little different on the mainframe, but I'm useed to something > like the following on Open Systems: > > % ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 > [email protected] > > You'd want to use a "-" in place of the "+" to remove something. -- I'm > adding something to make a new client talk to something old. -- You'd > probably also want to use "Ciphers" in place of "KeyAlgorithms". > > One important bit is the "-o ..." parameter as it's how you tell the ssh > client that you are providing options that don't have their own / bare > command line options. > > The ssh_config manual page has a lot more details. > > You can also put the "KexAlgorithms=+diffie-hellman-group-exchange-sha1" in > a "Host ..." section in the client ssh config file (individual ~/.ssh/config > or system wide /etc/ssh/ssh_config) > > > No errors when starting the SSHD but when I type ssh -Q cipher I still > > viewing those which I´ve included to be removed. > > I'm not surprised that asking SSH what it supports is listing everything. > I'd expect it to be more of a what's compiled into the client verses what's > enabled. > > > We are at z/OS V2R4 and OPENSSH is at version 7.6 that comes with the > > z/OS version. > > > > If anyone could give some light I´ll really appreciate that. > > I'd suggest that you skim the OpenSSH Legacy Options page as it has more > details on this and is probably the opposite end of the candle that you're > working on and can easily be adapted to influence things for you. > > Link - OpenSSH Legacy Options > - https://www.openssh.com/legacy.html
I am not familiar with how openssh is confiured on z/OS, but generally there are two ways to make configuration settings. Either through commandline parameters when the daemon program is executed, or via configuration file settings. In the config file, you'd make a Ciphers stanza and then list ciphers you want to add or remove with '-' and '+' respectively. When starting the daemon, you say: $ sshd -o Ciphers=+foo,-bar See https://man.openbsd.org/sshd_config $ ssh -Q ciphers isn't going to help you, as that indicates which ciphers the ssh _client_ is _supporting_. That is the wrong end of the ssh connection, client instead of server. Also, it tells you what the program supports, not what it is configured to use. If you want to validate what a SSH daemon is configured to use, you can use e.g. nmap --script ssh2-enum-algos target from an arbitrary other machine that can reach the server over the network. -Alex ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
