Security team of my organization told us to disable weak ciphers due to they issue weak keys.
arcfour
arcfour128
arcfour256
But I tried looking for these ciphers in ssh_config and sshd_config file but found them commented.
grep arcfour *
ssh_config:# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Where else I should check to disable these ciphers from SSH?
Best Answer
If you have no explicit list of ciphers set in
ssh_config
using theCiphers
keyword, then the default value, according toman 5 ssh_config
(client-side) andman 5 sshd_config
(server-side), is:Note the presence of the arcfour ciphers. So you may have to explicitly set a more restrictive value for
Ciphers
.ssh -Q cipher
from the client will tell you which schemes your client can support. Note that this list is not affected by the list of ciphers specified inssh_config
. Removing a cipher fromssh_config
will not remove it from the output ofssh -Q cipher
. Furthermore, usingssh
with the-c
option to explicitly specify a cipher will override the restricted list of ciphers that you set inssh_config
and possibly allow you to use a weak cipher. This is a feature that allows you to use yourssh
client to communicate with obsolete SSH servers that do not support the newer stronger ciphers.nmap --script ssh2-enum-algos -sV -p <port> <host>
will tell you which schemes your server supports.