Charlie Li on 12 Sep 2017 07:14:56 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Removing ciphers from an old Open-SSH server

On 09/12/17 08:47, Michael Leone wrote:
> I've got an old Red Hat 5.11 server (yes, I know, it should be
> upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A
> consultant penetration test came up with a number of issues; the ones
> related to this server deal mostly with the SSH service. Specifically,
> allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers". 
> However, all my searches seem to presume a much newer version of
> OpenSSH. I see a lot of pages on how to add any ciphers you want
> disallowed (such as:
> But my sshd-config doesn't have any such ciphers listed (even as
> comments). And as such, I don't know if that will work. And before I go
> messing around with a production server, I figured I would ask first.
Refer to the sshd_config man page from OpenBSD 3.9, which contained
OpenSSH 4.3, where it details the Ciphers keyword-argument pair,
specifically the last part:
> The default is:
>                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
>                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
>                 aes192-ctr,aes256-ctr

These are OpenBSD's defaults, obviously. I'm not sure if Red Hat changed
them for their portable version they compile and distribute (because,
Red Hat). But the first sentence of the man page's description of
Ciphers does say
> Specifies the ciphers allowed for protocol version 2.
meaning, opt-in.

Charlie Li
Can't think of a witty .sigline today…

(This email address is for mailing list use only;
replace local-part with vishwin for off-list communication)

Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --