Skip to main content

Update ciphers for key exchange, MAC?

Answered
Zacky
  • Edited

I need to remove SHA1 ciphers from the system, but they are for MAC and key exchange which doesn't seem to have a configuration within WHM.

When I edit /etc/ssh/sshd_config.d/50-redhat.conf, it says this:

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

Then if I open the opensshserver.config file, it proceeds to show all the ciphers for MACs, GSSAPIKexAlgorithms, KexAlgorithms, HostKeyAlgorithms, PubkeyAcceptedAlgorithms, CASignatureAlgorithms.

The language makes it seem like I can't edit this file or it will have no effect.

What is the correct way to edit the MAC and key exchange ciphers specifically? is there a different file or place in WHM?

Comments

4 comments

Date Votes
  • William Del Piero cPanel Staff

    Hi,

     

    Were you specifically needing to modify the ciphers for the SSH service only? If so, you should be able to modify these by editing the /etc/ssh/sshd_config file. After making modifications to the file, you would need to restart the SSH service for the changes to take effect, which can be done with the /scripts/restartsrv_sshd command.

    0
  • Zacky
    • Edited

    Thanks for the reply.

    The sshd_config file you mentioned, does not have anything in it for ciphers. It does include sshd_config.d/*.conf at the top of the file. The only file within the sshd_config.d folder is 50-redhat.conf, which also doesn't have ciphers defined in it. This is the file I mentioned in the first post that makes it sound like I can't edit the ciphers in this or further included files, which doesn't make sense.

    The 50-redhat.conf file includes /etc/crypto-policies/back-ends/opensshserver.config. This is the only file that actually has the ciphers defined, so this is the one I edited.

    So my question is, was it right to edit that file, or should I move or copy the cipher definitions to a different file?

    You asked if this is for "SSH service only". I'm not sure what you mean, that's beyond my knowledge I think. The security team pointed out sha1 ciphers in the key exchange algorithms, MAC, and host key settings. 

    In the opensshserver.config file, these lines begin with:

    MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,.......
    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,......
    HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,....

    Those are the lines I edited to remove sha1 references. Then I restarted sshd.

    I know there are many places in WHM to edit ciphers, for Exim, for Apache, for Web Services, for Web Disk, for Mailserver, but I needed these specifically, the MAC, key exchange, host key. I guess that must be for SSH only?

    In any case, I just don't know if this was the right place to edit, that's all.

    0
  • William Del Piero cPanel Staff

    Hi,

     

    To clarify, editing the /etc/ssh/sshd_config would only affect the SSH ciphers, but if you would like a list of how-to edit the ciphers for each service we have one below:

     

    https://docs.cpanel.net/knowledge-base/security/how-to-update-ciphers-and-tls-protocols

     

    Since the SSH service is part of the Operating System and not cPanel, it isn't listed in the above documentation. However, to confirm whether the changes you made have taken effect, you can run the following command to print out the current SSH settings:

     

    sshd -T

     

    If there are no current entries to specify the ciphers in the /etc/ssh/sshd_config file, then you can add new entries. However, the steps to modify the SSH configuration will also vary based on the Operating System. Some Operating Systems such as AlmaLinux 8/9 also contain the following file which overwrites changes to the sshd_config:

     

    /etc/crypto-policies/back-ends/opensshserver.config

     

    As such, you would need to edit the above file instead of the sshd_config depending on your server's Operating System. I did want to mention that modifying the SSH ciphers does have the potential to negatively affect the service if any mistakes are made. However, we have a safe SSH restart script you can use to reset the service to the defaults if you need to regain SSH access to the server to undo any changes. I'll include information about this script below:

     

    How can I safely restart my server's SSHD service via the cPanel SSH autofixer?

    0
  • Zacky

    Thanks. 

    Yes I mentioned opensshserver.config is the only file that actually had ciphers defined in it, so that's the one I edited. This is an AlmaLinux 9 server.

    I only wanted someone to validate this is the correct file to edit and it wouldn't be reverted or overwritten by something else.

    I understand the SSH ciphers would be part of the OS and not WHM, but since WHM is the server management tool, it would still be handy if there were a connector of some sort to the SSH config. If just for convenience.

    WHM allows us to restart the service, and reboot it in safe mode, so it would be nice to see the configs too.

    I think that takes care of my question. Thanks!

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post