I'm running ubuntu on an Amazon EC2 server - I need to lock down the ssh ciphers for pci compliance. I have tried editing the /etc/ssh/sshd_config, with these lines:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160and restarted the server. However, this command:
ssh -Q cipher localhoststill lists a full range of ciphers that I no longer want. Is there some configuration I'm missing?
ssh version is OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
Linux is: Linux ip-172-31-34-22 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/LinuxThanks for any advice.
1 Answer
ssh -Q cipher reports the ciphers supported by the ssh client, not the server.
One way to verify that you have successfully removed the cipher foo from the server configuration is to explicitly use it for your connection:
ssh -oCiphers=foo localhost
relevant excerpt from ssh.c option processing:
case 'Q': cp = NULL; if (strcmp(optarg, "cipher") == 0) cp = cipher_alg_list('\n', 0); /* deleted other options... */ if (cp == NULL) fatal("Unsupported query \"%s\"", optarg); printf("%s\n", cp); free(cp); exit(0); break;
