How To Disable SSH Server Weak Key Exchange Algorithm diffie-hellman-group1-sha1 in Oracle Linux
The diffie-hellman-group1-sha1 key exchange algorithm is considered a weaker algorithm.OpenSSH on Oracle Linux 7 currently supports and enables the algorithm that security/vulnerability scanners such as Qualys may detect as vulnerable.
To ensure optimal security, one should consider disabling weaker OpenSSH key exchange algorithms.This document describes how to disable the diffie-hellman-group1-sha1 key exchange algorithm within on Oracle Linux 7.
The same process may also be used to disable other algorithms.
Steps to disable Oracle Linux 7 OpenSSH diffie-hellman-group1-sha1 key exchange algorithm
1. Check whether key exchange algorithm diffie-hellman-group1-sha1 is currently enabled:
# sshd -T | egrep -i ^kexalgorithms | grep diffie-hellman-group1-sha1; echo $?
or
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 | grep diffie-hellman-group1-sha1; echo $?
2. Backup original SSH server configuration file e.g.:
# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
3. Generate and output the default list of supported key exchange algorithms to the SSH server configuration file excluding the diffie-hellman-group1-sha1 algorithm e.g.:
# ssh -Q kex | grep -v 'diffie-hellman-group1-sha1' | tr '\n' ',' >> /etc/ssh/sshd_config
4. Correctly format the newly added entry to the SSH server configuration file i.e.:
- prepend the resultant kex list with 'KexAlgorithms ' at the last line.
- remove already deprecated algorithms from the list i.e. gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
- remove any trailing comma (,) from the last entry in the list
The final entry should appear similar to the following:
# tail -n 1 /etc/ssh/sshd_config
KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
5. Restart the SSH server
# systemctl restart sshd
6. Verify the diffie-hellman-group1-sha1 key exchange algorithm is disabled now.
# sshd -T | egrep -i ^kexalgorithms | grep diffie-hellman-group1-sha1; echo $?
or
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 | grep diffie-hellman-group1-sha1; echo $?
7. Where applicable, re-run the security scan that originally detected the weakness - it should no longer be reported.
Same can also be done for Ciphers as well.
Reference:Oracle Linux: How To Disable SSH Server Weak Key Exchange Algorithm diffie-hellman-group1-sha1 (Doc ID 2803881.1)
Post a Comment
Post a Comment