Post Image

Linux SSH Disable CBC Ciphers

In this post I demonstrate how to disable insecure or unused SSH ciphers. You may need to do this for security purposes or for compliance purposes, you do not need to explicitly specify each one to disable, you can do so based on a pattern.

 

View Supported Ciphers

The first thing you will need to do is understand what ciphers are supported on your system, to do that issue the command below.

# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

 

Viewing Loaded Ciphers

Additionally, you will need to see what ciphers are actually loaded in SSH. Below is the command and example output.

# sshd -T | grep cipher
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
# 

 

Restrict all CBC Ciphers

Based on the output of the above commands you can see that cbc ciphers do exist on the machine however they are not loaded into the running SSH process to use for encryption with clients. Because of this it is not absolutely required to disallow the cbc ciphers in the ssh configuration however, to guarantee that after an update to the ssh server it does not load them due to programming changes the way to guarantee any cbc cyphers will never be loaded is to specify in the configuration file to never load them.

Below is an excerpt of /etc/ssh/sshd_config if a line denoting "Ciphers" does not already exist add this line at the bottom of your sshd_config file.

Ciphers -*cbc*

Note here the minus symbol is telling the configuration to exclude what is coming after.

The asterisks is a wildcard so any cipher that has "cbc" in the name will not be loaded at startup.

If Ciphers is already defined, just remove any entries that have cbc in it.

 

Reload the SSH Server

Lastly you need to reload the ssh server for the changes to take effect, below is an example of the command on a Debian based system.

$ sudo service ssh reload

 

And that is all you need to do to restrict ciphers based on wildcards.

 

 

 

 



Comments (0)
Leave a Comment