How To Disable diffie-hellman-group1-sha1 for SSH
I have found that my server via SSH still supports diffie-hellman-group1-sha1. To stay compliant with latest PCI Compliance I have been trying to figure out how to disable diffie-hellman-group1-sha1. Weakdh.org doesn't exactly give clear instructions on how to disable this nor anything on the web. What is the proper way to disable this algorithm without disabling Port 22 for SSH on Ubuntu? Below is what algorithms my server supports when running ssh -Q kex
.
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group1-sha1
[email protected]
running
ssh -Q kex
gives you the list of client supported algorithms. The server ones you will get from sshd -T | grep kex
(on the server of course).
And if you want to remove one, just take the list you get from previous command, remove the algorithm you are interested in and put it in the /etc/ssh/sshd_config
(or replace existing line there with the kex algorithms).
man sshd_config
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is
[email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1
So to disable "diffie-hellman-group1-sha1" , specify required Algorithms with Parameter KexAlgorithms
Example
KexAlgorithms diffie-hellman-group-exchange-sha256,[email protected],
In OpenSSH 7.6 if you want to remove one or more options and leave the remaining defaults you can add the following line to /etc/ssh/sshd_config
:
KexAlgorithms -diffie-hellman-group1-sha1,ecdh-sha2-nistp256
Note the -
at the start of the comma separated list. The above line would disable diffie-hellman-group1-sha1 and ecdh-sha2-nistp256.
This is detailed further in man sshd_config
under KexAlgorithms
:
If the specified value begins with a ‘-’ character, then the specified methods (including
wildcards) will be removed from the default set instead of replacing them.
One final note, after making any changes to /etc/ssh/sshd_config
always verify them using sshd -t
before restarting sshd.