Backup /etc/sysconfig/sshd and /etc/ssh/sshd_config
cp /etc/sysconfig/sshd /etc/sysconfig/sshd.before
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before
Edit /etc/sysconfig/sshd to uncomment the CRYPTO_POLICY setting
from:
to:
Copy the following ciphers, MACs, and KexAlgorithms to /etc/ssh/sshd_config.
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Verify the configuration file before restarting the SSH server.
If there are no errors reported, then restart the SSHD service.
Test weak CBC ciphers by executing the below command.
ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
<server>
If successful, it will prompt for a password. This means weak ciphers are enabled.
If it fails, indicating cbc ciphers are disabled, you should receive a message like this:
Unable to negotiate with 10.30.11.11 port 22: no matching cipher found.
Their offer: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
To test if weak MAC algorithms are enabled, run the below command:
ssh -vv -oMACs=hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com <server>
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none