You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

How To Disable Weak Cipher And Insecure HMAC Algorithms in SSH services for Oracle Linux 6 and later

edited Sep 18, 2023 2:54AM in Linux 1 comment

Applies To:

Oracle Cloud Infrastructure - Version N/A and later

Linux x86-64

Goal:

This article shows how to disable weak ciphers like CBC and insecure MACs like HMAC MD5 as an example on Oracle Linux 6 and 7, 8 and 9.

Solution:

Oracle Linux 8 and Oracle Linux 9

To disable weak ciphers and insecure HMAC algorithms in ssh service in Oracle Linux 8, follow the instructions below:

Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY parameter.      

# CRYPTO_POLICY= [Original value]
CRYPTO_POLICY= [New value]

Make sure correct Ciphers, MACs and KexAlgorithms are added to /etc/ssh/sshd_config file.

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!