CentOS – disable ciphers in openssh
- May 15th, 2017
- Posted in Documentation
- Write comment
I used the following procedure to disable the weak ciphers enabled in openssh on CentOS 7:
You could probably guess where you this should be configured, but one of the challenges can be getting of complete list of what is supported.
Get a list of supported ciphers:
# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
To disable one or more, you need to explicitly specify the ciphers you do want to use. For example, arcfour:
# vi /etc/ssh/sshd_config
…
Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com…
And then, restart sshd:
# systemctl restart sshd
And check:
$ ssh -c arcfour localhost
no matching cipher found: client arcfour server 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
Hello Jim,
I think it it obvious, I was testing your setup, but it does not work. I’ve tried the same, for arcfour it works, but for other ciphers you’ve commented connection works without problem.
There must be something else to do.
Take care Martin,
@Martin
I’m confused. Did it work for arcfour but not the others?