This is not Rocky8 related but I hope someone here can land a helping hand as I am at a loss. I asked google and searched openssh forum (inactive since 2013) and did find anything useful.
The ssh from OpenSSH on Rocky 8 supports less secure ciphers such as aes128-cbc. Output of ‘ssh -Q cipher’: 3des-cbc aes128-cbc …
I want to remove all the cbc weak ciphers . However, I cannot seem to do it. I put cipher line in ssh_config and backend config files.
But ‘ssh -Q cipher’ still shows all the -cbc ciphers.
ssh seems to have these ciphers compiled in: strings ssh | grep ‘-cbc’
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Our university security scan shows the server ssh supports weak ciphers and I was asked to remove the weak ciphers.
Does anyone know a way to remove weak ciphers from ssh or tell ssh to not support them?
The ssh is a client. Surely it shows what it does support, not what some sshd in some server supports?
The security scan must negotiate with the sshd in your machine. What if you try to connect to your machine, but force your client to use a cbc cipher? Connection should fail if you have successfully removed support.
Our security team required us to have an account on our servers they use to do ‘credential scans’. The scanner reports back saying ssh allows weak ciphers, hex, and macs. The sshd on the servers is fine after I removed weak ciphers,hex,macs in sshd_config. But putting same lines in ssh_config or .ssh/config makes no difference on ssh client. Very weird.
RHEL8 (Rocky 8.5) now has the concept of “system wide crypto policies”. man crypto-policies
The idea is to have system wide defaults, as opposed to per application variance.
@jamesw , consider the fact the host providing the SSH service requires changes to the KEX, MACs, and Ciphers found in the /etc/ssh/sshd_config file.
Also, if you are reviewing Tenable scans that are providing you feedback about your Compliance results; consider the fact many things the scanner is looking for is expected to literally be in the same order. I use the word literally accurately in this case, because where many people use the word literally too liberally, and they actually mean metaphorically.
Be aware, that if you have RHEL 6 variants that need access to this server, you need to ensure you have hmac-sha1 listed in association with your MACs setting.
The man sshd writes: “command-line options override values specified in the configuration file.”
The /etc/crypto-policies/back-ends/opensshserver.config is provided by package crypto-policies and defines CRYPTO_POLICY.
Therefore, your current crypto policy overrides all Ciphers that you set in /etc/ssh/sshd_config.
This is also true @jlehtone , but most people know about the configurations listed directly and explicitly in the /etc/ssh/sshd_config file and when the ssh packages are updated it doesn’t matter which file has your updates there will be an rpmsave file created. As such, you will realize the package was updated and you may need to copy back your configurations (most of the time not); so leaving your custom changes in a file that is regularly checked makes it easier for troubleshooting than putting the custom changes into a file that is rarely reviewed if at all.
Yes, but the point was – if we are talking about the ‘Ciphers’ option – that the Ciphers you set in /etc/ssh/sshd_config are completely ignored.
Yes, you might get rpmnew/rpmsave when ‘openssh-server’ is updated, but the actual changes to Ciphers are in different package, file, and directory.
Furthermore, for ciphers in ssh client, the /etc/ssh/ssh_config ends with:
# This system is following system-wide crypto policy.
# To modify the system-wide ssh configuration, create a *.conf file under
# /etc/ssh/ssh_config.d/ which will be automatically included below
Include /etc/ssh/ssh_config.d/*.conf
The idea is that customizations are added as separate files, so there will be less/no rpmnew/rpmsave. On one hand customizations remain clearly separate from defaults. On the other hand it is less obvious when customizations have to be adapted.
EL8 has /etc/ssh/ssh_config.d/. EL9 will have /etc/ssh/sshd_config.d/ too.