Ssh – Disable Arcfour encryption

centosencryptionssh

I'm new to this but have been searching everywhere for a clear answer.

To pass PCI compliance the Arcfour cipher should be disabled.

I've tried to edit the ciphers in my sshd_conf and ssh_conf files to no avail.

As far as I can make out the default ciphers are

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

I've tired removing the arcfour instances from that line and also adding a '-' (minus) before them which didn't work either.

How does one disable arcfour ciphers?

We're running CentOS 6.8 in case that helps.

Best Answer

CentOS 5, 6 & 7 don't have a Ciphers line in the /etc/ssh/sshd_config file so you get the full default list of ciphers. So to exclude arcfour add the following lines to your sshd_config file:

# restrict ciphers to exclude arcfour
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

Then restart sshd:

service sshd restart

As noted above you can test using

ssh <hostname> -c arcfour

If the specified cipher is disabled you'll get a response like

no matching cipher found: client arcfour server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

otherwise you'll see the normal login process.

Related Solutions

SSHFS – How to Use Arcfour Encryption Over SSHFS

Seems like the server does not want to allow it based onthe output of auth.log. I'd try adding arcfour back into the SSH server's sshd_config file. From the sshd_config man page:

excerpt

 Ciphers
        Specifies the ciphers allowed for protocol version 2.  Multiple 
        ciphers must be comma-separated.  The supported ciphers are 
        “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, 
        “aes192-ctr”, “aes256-ctr”, “aes128-gcm@openssh.com”, 
        “aes256-gcm@openssh.com”, “arcfour128”, “arcfour256”,
        “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  The default is:

            aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
            aes128-gcm@openssh.com,aes256-gcm@openssh.com,
            aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
            aes256-cbc,arcfour

Incidentally, there is nothing wrong with your -o Ciphers=arcfour switches from what I can tell. I even found this SU Q&A titled: sshfs mount without compression or encryption that shows the same approach.

Disable Weak Ciphers in SSH – How to Enhance SSH Security

If you have no explicit list of ciphers set in ssh_config using the Ciphers keyword, then the default value, according to man 5 ssh_config (client-side) and man 5 sshd_config (server-side), is:

            aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
            aes128-gcm@openssh.com,aes256-gcm@openssh.com,
            chacha20-poly1305@openssh.com,
            aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
            aes256-cbc,arcfour

Note the presence of the arcfour ciphers. So you may have to explicitly set a more restrictive value for Ciphers.

ssh -Q cipher from the client will tell you which schemes your client can support. Note that this list is not affected by the list of ciphers specified in ssh_config. Removing a cipher from ssh_config will not remove it from the output of ssh -Q cipher. Furthermore, using ssh with the -c option to explicitly specify a cipher will override the restricted list of ciphers that you set in ssh_config and possibly allow you to use a weak cipher. This is a feature that allows you to use your ssh client to communicate with obsolete SSH servers that do not support the newer stronger ciphers.

nmap --script ssh2-enum-algos -sV -p <port> <host> will tell you which schemes your server supports.

Best Answer

Related Solutions

SSHFS – How to Use Arcfour Encryption Over SSHFS

Disable Weak Ciphers in SSH – How to Enhance SSH Security

Related Question