Profile Applicability:
• Level 1
Description:
Configuring strong cryptographic ciphers for the SSH daemon (sshd) ensures secure encrypted communication between clients and the server, protecting against cryptographic attacks and data interception.
Rationale:
Using strong and modern ciphers mitigates vulnerabilities associated with weak or deprecated algorithms, enhancing the confidentiality and integrity of SSH sessions.
Impact:
Pros:
Strengthens encryption protecting SSH sessions.
Helps comply with security standards and best practices.
Cons:
May reduce compatibility with very old SSH clients.
Default Value:
Default cipher settings vary by SSH server version and distribution; older defaults may include weak ciphers.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current ciphers configured in /etc/ssh/sshd_config:
grep ^Ciphers /etc/ssh/sshd_config
Review the list of enabled ciphers.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Add or update the Ciphers directive with strong ciphers, for example:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
Save the file and restart sshd:
systemctl restart sshd
Verify the configuration:
grep ^Ciphers /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Revert to previous Ciphers settings if necessary.
Restart sshd and verify compatibility.
References: