I'm running ubuntu on an Amazon EC2 server - I need to lock down the ssh ciphers for pci compliance. I have tried editing the /etc/ssh/sshd_config, with these lines:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 

and restarted the server. However, this command:

ssh -Q cipher localhost 

still lists a full range of ciphers that I no longer want. Is there some configuration I'm missing?

ssh version is OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014 Linux is: Linux ip-172-31-34-22 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux 

Thanks for any advice.

1 Answer

ssh -Q cipher reports the ciphers supported by the ssh client, not the server.

One way to verify that you have successfully removed the cipher foo from the server configuration is to explicitly use it for your connection:

ssh -oCiphers=foo localhost


relevant excerpt from ssh.c option processing:

 case 'Q': cp = NULL; if (strcmp(optarg, "cipher") == 0) cp = cipher_alg_list('\n', 0); /* deleted other options... */ if (cp == NULL) fatal("Unsupported query \"%s\"", optarg); printf("%s\n", cp); free(cp); exit(0); break; 
3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy