How to disable SSH cipher/ MAC algorithms for Linux and Unix


Some of the security concerns, you may need to change  SSH’s cipher/MAC and key algorithms. I added basic steps about how to change these configurations for  Unix and Linux.

Check existing configuration

Check allowed ciphers, macs, and key algorithms before disable.

# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Edit SSHD Configuration

You should disable ciphers and macs using the commands below.  Remove macs and ciphers that you don’t want to allow then save the file. If there is no ciphers and macs configuration on the  SSHD config file, add a new line to the end of the file.

#vi  /etc/ssh/sshd_config

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc

macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512
#service sshd restart

Check the new configuration

# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"

 

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me