How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services for Oracle Linux 6 and later
Applies To:
Oracle Cloud Infrastructure - Version N/A and later
Linux x86-64
Goal:
This article shows how to disable weak ciphers like CBC and insecure MACs like HMAC MD5 as an example on Oracle Linux 6 and 7, 8 and 9.
Solution:
Oracle Linux 8 and Oracle Linux 9
To disable weak ciphers and insecure HMAC algorithms in ssh service in Oracle Linux 8, follow the instructions below:
Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY parameter.
# CRYPTO_POLICY= [Original value] CRYPTO_POLICY= [New value]
Make sure correct Ciphers, MACs and KexAlgorithms are added to /etc/ssh/sshd_config file.
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Tagged:
0