{"id":1543,"date":"2017-05-15T18:19:19","date_gmt":"2017-05-16T01:19:19","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=1543"},"modified":"2017-05-15T18:19:19","modified_gmt":"2017-05-16T01:19:19","slug":"centos-disable-ciphers-in-openssh","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=1543","title":{"rendered":"CentOS &#8211; disable ciphers in openssh"},"content":{"rendered":"<p>I used the following procedure to disable the weak ciphers enabled in openssh on CentOS 7:<\/p>\n<p>You could probably guess where you this should be configured, but one of the challenges can be getting of complete list of what is supported.<\/p>\n<p>Get a list of supported ciphers:<\/p>\n<blockquote><p># ssh -Q cipher<br \/>\n3des-cbc<br \/>\nblowfish-cbc<br \/>\ncast128-cbc<br \/>\narcfour<br \/>\narcfour128<br \/>\narcfour256<br \/>\naes128-cbc<br \/>\naes192-cbc<br \/>\naes256-cbc<br \/>\nrijndael-cbc@lysator.liu.se<br \/>\naes128-ctr<br \/>\naes192-ctr<br \/>\naes256-ctr<br \/>\naes128-gcm@openssh.com<br \/>\naes256-gcm@openssh.com<br \/>\nchacha20-poly1305@openssh.com<\/p><\/blockquote>\n<p>To disable one or more, you need to explicitly specify the ciphers you do want to use.  For example, arcfour:<\/p>\n<blockquote><p># vi \/etc\/ssh\/sshd_config<br \/>\n&#8230;<br \/>\nCiphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com<\/p>\n<p>&#8230;<\/p><\/blockquote>\n<p>And then, restart sshd:<\/p>\n<blockquote><p># systemctl restart sshd<\/p><\/blockquote>\n<p>And check:<\/p>\n<blockquote><p>$ ssh -c arcfour localhost<br \/>\nno matching cipher found: client arcfour server 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com\n<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>I used the following procedure to disable the weak ciphers enabled in openssh on CentOS 7: You could probably guess where you this should be configured, but one of the challenges can be getting of complete list of what is supported. Get a list of supported ciphers: # ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour [&#038;hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[40,448,48,317],"class_list":["post-1543","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-centos","tag-cipher","tag-linux","tag-ssh"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1543"}],"version-history":[{"count":1,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1543\/revisions"}],"predecessor-version":[{"id":1544,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1543\/revisions\/1544"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}