How to disable weak SSH ciphers for Linux VMs

Problem

When you run security vulnerabilities scan you might get an output similar to the one below:

The following weak SSH server-to-client encryption algorithms are enabled: 
  arcfour128
  arcfour256
  3des-cbc
  aes128-cbc
  aes192-cbc
  aes256-cbc
  blowfish-cbc
  cast128-cbc
The following weak SSH client-to-server encryption algorithms are enabled: 
  arcfour128
  arcfour256
  3des-cbc
  aes128-cbc
  aes192-cbc
  aes256-cbc
  blowfish-cbc
  cast128-cbc

The output may be different depending on the tool used for the scan, but the error will convey the same meaning that there are some SSH ciphers that are weak and need to be disabled.

Environment

  • Compute Engine instance
  • Linux Operating System

Solution

Server to Client Ciphers

  1. Log in to the instance using the ssh command.
  2. Switch to a root user using the sudo su - command.
  3. List the currently enabled ciphers by running the command sshd -T | grep -i 'cipher'.
  4. Copy the list and remove the unwanted ciphers. For example: 
    ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
  5. Make a backup of the file /etc/ssh/sshd_config by running the command: 
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  6. Open the file /etc/ssh/sshd_config using a text editor and look for the section that looks like this: 
    ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
  7. If the section is there, edit it. If not add it to the end of the file. 
  8. Restart the SSH Daemon using the command service sshd restart.
  9. Run the command sshd -T | grep -i 'cipher' again to confirm that the change took effect.

Client to Server Ciphers

  1. SSH to the instance and switch to root by running the command sudo su -.
  2. List the currently enabled ciphers by running the command ssh -Q cipher.
  3. Copy the list and remove the unwanted ciphers. For an example check step 3 of the previous section. 
  4. Make a backup of the file /etc/ssh/ssh_config by running the command: 
    cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
  5. Edit the modified list of ciphers in /etc/ssh/ssh_config.
  6. Run the command ssh -Q cipher again to confirm that the change took effect.

Cause

Ciphers get updated with every new release of OpenSSH, but some older ciphers are left enabled for backwards compatibility with older SSH clients. If you're not using older SSH clients and worried about the security risk, the configuration can be modified easily using the steps above.