Customer reported that security scan found weak SSH Cipher Block Chaining (CBC) encryption
on several GPDB hosts.

Product Version: 6.22

How to remove weak ssh Cipher Block Chaining (CBC) encryption 

The list of approved Cipher Block Chaining (CBC) encryption can be decided by the customer based on which security compliance they are trying to achieve. Greenplum will generally support whatever algorithms are allowed.

The /etc/ssh/sshd_config file must be updated on all Greenplum segment hosts, including Coordinator/Standby-Coordinator.

After editing the sshd_conf file, the ssh daemon must be restarted using systemctl restart sshd in order to implement the changes.

CAUTION:

It is possible to Restart the ssh daemon while Greenplum is online, ONLY if there no other Greenplum utilities are in use while restarting. 

RECOMMENDATION:

It is highly Recommended to temporarily stop Greenplum in order to perform the ssh daemon restart.

1. Log into the Coordinator, standby coordinator and segment host servers.


2. Navigate to the /etc/ssh directory then make a copy of the ssh_config for safe keeping. 

You will need to have elevated privileges to copy or modify the sshd_config file. 

Example: 

[gpadmin@16greenplum-m ssh]$ sudo cp sshd_config sshd_config_07192023
[gpadmin@16greenplum-m ssh]$ ls -lrt
total 640
-rw-r--r--. 1 root root        382 Aug 24  2018 ssh_host_rsa_key.pub
-rw-r-----. 1 root ssh_keys   1675 Aug 24  2018 ssh_host_rsa_key
-rw-r--r--. 1 root root        162 Aug 24  2018 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    227 Aug 24  2018 ssh_host_ecdsa_key
-rw-r--r--. 1 root root         82 Aug 24  2018 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys    387 Aug 24  2018 ssh_host_ed25519_key
-rw-r--r--. 1 root root     581843 Nov 24  2021 moduli
-rw-r--r--. 1 root root       2276 Jul 18 23:24 ssh_config_07182023.bak
-rw-------. 1 root root        983 Jul 19 00:23 ssh_host_key
-rw-r--r--. 1 root root        648 Jul 19 00:23 ssh_host_key.pub
-rw-r--r--. 1 root root        608 Jul 19 00:23 ssh_host_dsa_key.pub
-rw-------. 1 root root        668 Jul 19 00:23 ssh_host_dsa_key
-rw-------. 1 root root       3916 Jul 19 00:26 sshd_config_07182023.bak
-rw-r--r--. 1 root root       2276 Jul 19 03:17 ssh_config
-rw-------. 1 root root       4217 Jul 19 17:00 sshd_config
-rw-------. 1 root root       4217 Jul 20 00:46 sshd_config_07192023


3. On the target system, verify the key exchange algorithms in use.

Example 1: 


[root@16greenplum-m gpadmin]# sshd -T | grep ciphers

[gpadmin@16greenplum-m ssh]$ sudo sshd -T | grep ciphers
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

4. Using a scratch pad or text file, remove the unwanted ciphers aes128-cbc, aes192-cbc,aes256-cbc, blowfish-cbc and cast128-cbc,3des-cbc.

Before: 

Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc


After:

ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]


5. Verify the unwanted ciphers are removed then use your favorite file editor to copy the entry from step 4 to the /etc/ssh/sshd_config. 

NOTE: Add the Ciphers entry to the the Ciphers and Keying entry. 

EXAMPLE: 

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Key Exchange Algorithms
KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

# Ciphers and keying
#RekeyLimit default none
Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO


6. Restart the sshd daemon. 

NOTE: The sshd daemon needs to be restarted on each server.
systemctl restart sshd 


7. Test the ssh connections using each of the removed ciphers. 

ssh -oCiphers=blowfish-cbc localhost

NOTE: The weak Cipher Block Chaining is no longer used when you see "Unable to negotiate with 127.0.0.1 port 22: no matching cipher found."

[gpadmin@16greenplum-m ssh]$ ssh -oCiphers=blowfish-cbc localhost
Unable to negotiate with 127.0.0.1 port 22: no matching cipher found. Their offer: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]