SHA1 deprecated vulnerability for SSH on ESXi hosts
search cancel

SHA1 deprecated vulnerability for SSH on ESXi hosts

book

Article ID: 301602

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

SHA1 deprecated vulnerability for SSH on ESXi hosts.

Environment

VMware vSphere ESXi

Resolution

Steps to disable on ESXi:

  1. SSH to ESXi as root user.
  2. Backup the current sshd_config file:

         cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old

     3. Edit /etc/ssh/sshd_config

          vi /etc/ssh/sshd_config

     4. Find the following block:

     Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1

     5. Change to this:

     Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

      6. Save the file with ":wq" and restart sshd:

          systemctl restart sshd