This writeup is reference from The Geek Diary
- How To Disable Weak Cipher And Insecure HMAC Algorithms In SSH Services In CentOS/RHEL 8
- How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services for CentOS/RHEL 6 and 7
Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY line:
CRYPTO_POLICY=
Edit /etc/ssh/sshd_config file. Add Ciphers, MACs and KexAlgorithms have been added
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
After making changes to the configuration file, you may want to do a sanity check on the configuration file
# sshd -t
Restart sshd services
# systemctl restart sshd
To test if weak CBC Ciphers are enabled
$ ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [youruserid@IP of your Server]
References: