Question
How can I disable cipher block chaining encryption for SSH?
Disabling the Cipher Block Chaining (CBC) encryption is done by modifying the cipher configuration within your SSH configuration. You may be asked to do this to comply with certain compliance scans.
Note: The cPanel software does not have any tools to manage the SSH configuration directly. Changes made to SSH can alter your ability to connect to the server. If you have any concerns about applying these changes, we recommend you consult with your System Administrator. If you lose access to your server due to a misconfiguration in SSH, you may need to contact your hosting provider to restore it.
Answer
- Connect to your server through SSH as the root user
Make a backup of your SSHd configurations to use in case of unexpected results:
# cp -v /etc/ssh/sshd_config{,.$( date +%Y%m%d )}
# cp -v /etc/crypto-policies/back-ends/openssh.config{,.$( date +%Y%m%d )}
Using your preferred text editor, check the following SSH configuration files for the Ciphers setting:
/etc/ssh/sshd_config/etc/crypto-policies/back-ends/openssh.configLocate the Ciphers line. It may look something like this:
CONFIG_TEXT: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Remove the following ciphers from the list if they are present:
CONFIG_TEXT: arcfour
arcfour128
arcfour25
aes128-cbc
3des-cbc
blowfish-cbc
cast128-cbc
aes192-cbc
aes256-cbcSave your changes and restart the SSHd service:
# /scripts/restartsrv_sshd
Your changes should be applied. You can use the following command to verify the currently active ciphers in your SSH configuration:
# sshd -T | grep ciphers
Comments
0 comments
Article is closed for comments.