Join Log in
Score:1
Ruth Edges avatar Server

How do I disable sshd algorithms?

ge flag
Ruth Edges

From my vulnerability scanning software I get this flag/message

The following weak key exchange algorithms are enabled : 

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group1-sha1

I want to disable these two algorithms.

I queried the sshd_config...

[root@vm01 ~]# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
macs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
kexalgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
[root@vm01 ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
[root@vm01 ~]# sshd -T | grep kex
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
kexalgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp25

As you can see from the output, the clients are able to use these algorithms. There is no mention of the offending algorithms in the sshd_config, even in the Ciphers section:

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

Any help appreciated.

Note I am using OpenSSH 7.4

sshd_config

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,-diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
2933
0 + 0
ssh
in flag
Zoredache
Are you sure the vulnerability scanner is actually examining the server you think it is? If that really is your output for `sshd -T` I would be tempted to believe that the scanner is somehow hitting a different system. I would probably want to confirm the scanner is actually working by watching a tcpdump on the target server while the scanner runs. I would also possibly run the sshd in debug mode in the foreground and then run your scan so you can see the verbose negotiation output.
2
Reply
Score:1
avatar Server
cn flag
Johhnie

As far as I know the OpenSHH does support disabling specific key exchange algorithms or ciphers (and those are actually two different things), by prepending the list of algorithms you want disabled with a hyphen/minus -, although more common is setting up explicitly what you do want to allow.

See: https://man.openbsd.org/sshd_config#KexAlgorithms

If KexAlgorithms is currently not set then your server is using the default settings. You could leave the defaults and disable those two offending weak key exchange algorithms with:

# sshd_config
...
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

Or you could set the more explicit strong settings such as (which may break backward compatibility with old clients):

# sshd_config
...
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
0 + 0
Ruth Edges avatar
ge flag
Ruth Edges
When i test the sshd_conf I get this error: /etc/ssh/sshd_config line 146: Bad SSH2 KexAlgorithms '-diffie-hellman-group1-sha1,-diffie-hellman-group-exchange-sha1'.
0
Reply
cn flag
Johhnie
Try omitting the second hyphen and use `KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1`
0
Reply
Ruth Edges avatar
ge flag
Ruth Edges
Unsupported KEX algorithm "-diffie-hellman-group1-sha1" /etc/ssh/sshd_config line 142: Bad SSH2 KexAlgorithms 'curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,-diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1'.
0
Reply
Ruth Edges avatar
ge flag
Ruth Edges
Note that I already have a defined KeyAlgorithms section.
0
Reply
cn flag
Johhnie
As far as I understand the manual it is either: list everything you want to allow (and all others will be disabled) or list everything you want to remove from the default list by starting the list with a `-` and you can't do a combination `+..., -...`
0
Reply
Ruth Edges avatar
ge flag
Ruth Edges
So why then was I getting these unwanted ciphers present in my query of sshd_config if they were never mentioned in the first place. I have stated my desired ciphers in the cipher and KeyAlgortihms sections.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
@RuthEdges: The '-' syntax to remove kexes,ciphers,etc from default was [only in 7.5 up](https://www.openssh.com/txt/release-7.5) and Q says 7.4.
0
Reply
John Greene avatar
cn flag
John Greene
I own all servers and clients in question and see this SIMILAR problem: But only one of my server is at that v7.4, the rest have gone v8. also it must suck to use just only the minus (negatory) feature because you may get a crappy algorithm being introduced during the next OpenSSH upgrade.
0
Reply
Score:0
avatar Server
in flag
Rainer

In my Verion of OpenSSH in the sshd_config it is not possible to use a „+“ or „-„ at the beginning. It is only possible to make a list of usable algorithms seperated by „,“

0 + 0
Score:0
reynold avatar Server
sa flag
reynold

I am facing the same issue about "weak key exchange algorithms" when runing "ssh -Q Kex":

[root@ ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-

my ssh version is:

[root@ ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

so I can not use '-',try to add a line in sshd_config:

KexAlgorithms  curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

systemctl restart sshd and run ssh -Q kex,system still response:

[root@l ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-

Wandering which part of my configuration was wrong or anything I missed,Thanks.

+ 1
reynold avatar
sa flag
reynold
its a Centos7 on public cloud platform
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.