How to Remove Weak SSH Key Exchange Algorithms (KexAlgorithms)
search cancel

How to Remove Weak SSH Key Exchange Algorithms (KexAlgorithms)

book

Article ID: 296868

calendar_today

Updated On:

Products

VMware Tanzu Greenplum VMware Tanzu Greenplum / Gemfire VMware Tanzu Data Suite VMware Tanzu Data Suite

Issue/Introduction

A security scan found weak SSH key exchange algorithms on several Greenplum hosts.

Resolution

How to remove unwanted/weak ssh key exchange algorithms (KexAlgorithms) from from ssh

The list of approved algorithms can be decided by the customer based on which security compliance they are trying to achieve.

Greenplum will generally support any of the allowed algorithms.

The /etc/ssh/sshd_config file must be updated on all Greenplum hosts, That is coordinator, standby-coordinator and segment hosts.

After editing the sshd_conf file, the ssh daemon must be restarted using "systemctl restart sshd" in order to implement the changes.

CAUTION: It is possible to restart the ssh daemon while Greenplum database is online ONLY if there is none of the Greenplum utilities running.

RECOMMENDATION: It is highly recommended to temporarily stop Greenplum in order to perform the ssh daemon restart.


1. Log into each host in the cluster as root user and do the following steps.

2. Navigate to the /etc/ssh directory then make a copy of the sshd_config for safe keeping.

Example: 

cd /etc/ssh
cp sshd_config sshd_config_$(date +%Y%m%d)


3. Check the current key exchange algorithms in use:

ssh -Q kex

Example:

$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-

4. Edit the file /etc/ssh/sshd_config and change the "kexAlgorithms" parameter to list the required algorithms:

NOTE: You may need to add the parameter if it is not already listed

NOTE: Add the kexAlogrithms entry above/before the the Ciphers and Keying entry. 

Example: 

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Key Exchange Algorithms
KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

5. Restart the sshd daemon.

NOTE: The sshd daemon needs to be restarted on each server.

systemctl restart sshd 

6. Verify the list of possible Key Exchange Algorithms:

$ ssh -Q kex
curve25519-sha256
[email protected]
ecdh-sha2-nistp256,ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256

7. Test the ssh connections using each of the removed Kex Algorithms.

NOTE: The unwanted/weak Kex Algorithms are no longer used when you see "Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found."

Example:

$ ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 localhost
Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,

$ ssh -oKexAlgorithms=diffie-hellman-group1-sha1 localhost
Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,

$ ssh -oKexAlgorithms=gss-gex-sha1- localhost
Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,

$ ssh -oKexAlgorithms=gss-group1-sha1- localhost
Unable to negotiate with 127.0.0.1 port 22: no matching key exchange method found. Their offer: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,



Powered by Wolken Software