Securing SSH Communication

When the client communicates with the server using SSH protocol, a key exchange process occurs for encrypting and decrypting the communication. During the key exchange process, client and server decide on the cipher suites that must be used for communication. The cipher suites contain different algorithms for securing the communication. One of the algorithms that Protegrity appliances uses is SHA1, which is vulnerable to collision attacks. Thus, to secure the SSH communication, it is recommended to deprecate the SHA1 algorithm. The following steps describe how to remove the SHA1 algorithm from the SSH configuration.

To secure SSH communication:

1. On the CLI Manager, navigate to Administration > OS Console.

2. Navigate to the /etc/ssh directory.

3. Edit the sshd_config.orig file.

4. Remove the following entry:

   MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
   

5. Remove the following entry:

   KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
   

6. Save the changes and exit the editor.

7. Navigate to the /etc/ksa directory.

8. Edit the sshd_config.append file.

9. Append the following entries to the file.

   MACs hmac-sha2-256,hmac-sha2-512
   KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
   

10. Save the changes and exit the editor.

11. Restart the SSH service using the following command.

    /etc/init.d/ssh restart
    

    The SHA1 algorithm is removed for the SSH communication.

• ←Previous
• Next→

Last modified February 7, 2025