Security: Fix Weak Key Exchange Algorithm in SSH

15.06.2023 Hosting, Security,

A security scan of a server reports the following result: The remote SSH server is configured to allow / support weak key exchange (KEX) algorithm(s). How can the SSH connection be secured?

Step 1: Disable default crypto policies

nano /etc/sysconfig/sshd

## change 
#CRYPTO_POLICY= 

## to 
CRYPTO_POLICY=

More about Crypto-Policies

Step 2: Update MACs, kex algorithms and cyphers in /etc/ssh/sshd_config

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Step 3: Restart SSH server

sshd -t
systemctl restart sshd

Step 4: Test weak cyphers

ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [user@ip-address]

if the following error message appears here, the finding has been fixed:

$ ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc root@192.168.0.10 -p22
:::::::::::::::::::::::::::::::::::::::
...
Unable to negotiate with  port 22: no matching cipher found
prev Automatic, AI-based translation processes with deepL in TYPO3
next Security: Fix Weak Key Exchange Algorithm in SSH