book
Article ID: 326204
calendar_today
Updated On:
Issue/Introduction
Symptoms:
OpenSSH in VCSA 6.7 has sha1 ciphers enabled for key exchange algorithms and message authentication codes.
Environment
VMware vCenter Server 6.7.x
Resolution
To disable weak sha1 ciphers for sshd/OpenSSH in vCenter Server Appliance, ensure you have a fresh backup of the VCSA, then follow the steps below:
- backup the current sshd_config file:
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
- edit /etc/ssh/sshd_config
# vi /etc/ssh/sshd_config
- find the following block:
# Example of overriding settings on a per-user basis
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1
- change this block to:
# Example of overriding settings on a per-user basis
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
- save the file with :wq and restart sshd:
# systemctl restart sshd
Additional Information
Impact/Risks:
Note: limiting the SSH ciphers might result in certain SSH client no longer being able to establish a connection. Prior to implementing these changes in a productive environment, therefore please advise your customer to verify in a test environment, if the SSH client of their choice supports these changes and does still work after implementing them.