How To Disable diffie-hellman-group1-sha1 for SSH

ssh

I have found that my server via SSH still supports diffie-hellman-group1-sha1. To stay compliant with latest PCI Compliance I have been trying to figure out how to disable diffie-hellman-group1-sha1. Weakdh.org doesn't exactly give clear instructions on how to disable this nor anything on the web. What is the proper way to disable this algorithm without disabling Port 22 for SSH on Ubuntu? Below is what algorithms my server supports when running ssh -Q kex.

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group1-sha1
[email protected]

running ssh -Q kex

gives you the list of client supported algorithms. The server ones you will get from sshd -T | grep kex (on the server of course).

And if you want to remove one, just take the list you get from previous command, remove the algorithm you are interested in and put it in the /etc/ssh/sshd_config (or replace existing line there with the kex algorithms).


man sshd_config

 KexAlgorithms
         Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.  The default is

               [email protected],
               ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
               diffie-hellman-group-exchange-sha256,
               diffie-hellman-group-exchange-sha1,
               diffie-hellman-group14-sha1,
               diffie-hellman-group1-sha1

So to disable "diffie-hellman-group1-sha1" , specify required Algorithms with Parameter KexAlgorithms

Example

KexAlgorithms diffie-hellman-group-exchange-sha256,[email protected],


In OpenSSH 7.6 if you want to remove one or more options and leave the remaining defaults you can add the following line to /etc/ssh/sshd_config:

KexAlgorithms -diffie-hellman-group1-sha1,ecdh-sha2-nistp256

Note the - at the start of the comma separated list. The above line would disable diffie-hellman-group1-sha1 and ecdh-sha2-nistp256.

This is detailed further in man sshd_config under KexAlgorithms:

If the specified value begins with a ‘-’ character, then the specified methods (including
wildcards) will be removed from the default set instead of replacing them.

One final note, after making any changes to /etc/ssh/sshd_config always verify them using sshd -t before restarting sshd.

Related

Load balancing using IIS7 request routing and load balancing module
vagrant public ip not accessible
Is it possible to close remote desktop session on windows remotely?
Modify data being proxied by nginx on the fly
How to relaunch an executable if it dies
Puppetize everything or not?
Apache: Where to examine the redirection logs?
How do I manage PCs with vPro?
second ip address on the same interface but on a different subnet
Does is matter in what order rules are placed in htaccess?
Can't create/write to file '/tmp/#sql_xxxx.MYI' (Errcode: 13)
Do Postfix and Dovecot support OCSP stapling?