How to Remove Weak SSH Key Exchange Algorithms (KexAlgorithms)
Article ID: 296868
Updated On:
Products
VMware Tanzu Greenplum
Issue/Introduction
A security scan found weak SSH key exchange algorithms on several Greenplum hosts.
Environment
Product Version: 6.22
Resolution
How to remove weak ssh key exchange algorithms (KexAlgorithms) from from sshd_conf. The list of approved algorithms can be decided by the customer based on which security compliance they are trying to achieve. Greenplum will generally support whatever algorithms are allowed. The /etc/ssh/sshd_config file must be updated on all Greenplum segment hosts, including Coordinator/Standby-Coordinator. After editing the sshd_conf file, the ssh daemon must be restarted using systemctl restart sshd in order to implement the changes. CAUTION: It is possible to Restart the ssh daemon while Greenplum is online, ONLY if there no other Greenplum utilities are in use while restarting. RECOMMENDATION: It is highly Recommended to temporarily stop Greenplum in order to perform the ssh daemon restart.
1. Log into the coordinator, standby coordinator and segment host servers.
2. Navigate to the /etc/ssh directory then make a copy of the ssh_config for safe keeping.
You will need to have elevated privileges to copy or modify the sshd_config file.
Example:
cp sshd_config sshd_config_$(date +%Y%m%d)
3. On each host, verify the key exchange algorithms in use:
ssh -Q kexor
ssh -T | egrep kexalgorithms
Example 1:
[gpadmin@16greenplum-m ~]$ ssh -Q kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 [email protected] gss-gex-sha1- gss-group1-sha1- gss-group14-sha1-
Example 2:
[root@16greenplum-m gpadmin]# sshd -T | grep kexalgorithms kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
4. Using a scratch pad or text file, remove the unwanted kex algortihms diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, gss-gex-sha1-, gss-group1-sha1- and gss-group14-sha1-.
Before:
kexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
After:
kexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
5. Edit file /etc/ssh/sshd_config to set the "kexAlgorithms"
NOTE: Add the kexAlogrithms entry above/before the the Ciphers and Keying entry.
Example:
#Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Key Exchange Algorithms KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
6. Restart the sshd daemon.
NOTE: The sshd daemon needs to be restarted on each server.
systemctl restart sshd
7. Test the ssh connections using each of the removed Kex Algorithms.
NOTE: The weak Kex Algorithm is no longer used when you see "Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found."
Example:
[gpadmin@16greenplum-m ~]$ ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 localhost Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256, [gpadmin@16greenplum-m ~]$ ssh -oKexAlgorithms=diffie-hellman-group1-sha1 localhost Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256, [gpadmin@16greenplum-m ~]$ ssh -oKexAlgorithms=gss-gex-sha1- localhost Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256, [gpadmin@16greenplum-m ~]$ ssh -oKexAlgorithms=gss-group1-sha1- localhost Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,
Feedback
Yes
No
Powered by
