星期二, 3月 23, 2021
How to disable weak ssh algorithms
For server side,
1. vi /etc/ssh/sshd_config
2. add the following lines
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
3. systemctl restart sshd
For client side,
1. vi /etc/ssh/ssh_config
2. add the following lines
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
3. systemctl restart sshd
To verify the setting
1. sshd -T |grep macs
2. sshd -T |grep kexalgorithms
3. sshd -T |grep ciphers
To verify client setting
1. ssh -Q kex
訂閱:
文章 (Atom)