How to disable SHA1 algorithms for SSHD in vCenter Server Appliance 6.7
search cancel

How to disable SHA1 algorithms for SSHD in vCenter Server Appliance 6.7

book

Article ID: 326204

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
OpenSSH in VCSA 6.7 has sha1 ciphers enabled for key exchange algorithms and message authentication codes.

Environment

VMware vCenter Server 6.7.x

Resolution

To disable weak sha1 ciphers for sshd/OpenSSH in vCenter Server Appliance, ensure you have a fresh backup of the VCSA, then follow the steps below:
  1. backup the current sshd_config file: 
    # cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
  2. edit /etc/ssh/sshd_config 
    # vi /etc/ssh/sshd_config
  3. find the following block: 
    # Example of overriding settings on a per-user basis
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1
  4. change this block to: 
    # Example of overriding settings on a per-user basis
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
  5. save the file with :wq and restart sshd: 
    # systemctl restart sshd


Additional Information

Impact/Risks:
Note: limiting the SSH ciphers might result in certain SSH client no longer being able to establish a connection. Prior to implementing these changes in a productive environment, therefore please advise your customer to verify in a test environment, if the SSH client of their choice supports these changes and does still work after implementing them.

Powered by Wolken Software