e defaults in the various RHEL version differ and the current default can be found in manual page for sshd_config. For example RHEL6:
The default is:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
You can remove the CBC ciphers by adding the line for RHEL7:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour
The line for RHEL6:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
The line for RHEL5 (note the order of ciphers – the RC4 cipher is also known for several vulnerabilities and should not be used):
Ciphers aes128-ctr,aes192-ctr,aes256-ctr',arcfour128,arcfour256,arcfour
- Restart
sshdto apply the changes:
# service sshd restartD5 HMACs
- In order to remove HMAC MD5, add or modify the “MACs” line in
/etc/ssh/sshd_configas below.
The defaults in the various RHEL version differ and the current default can be found in manual page for sshd_config. For example RHEL6:
The default is:
hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
You can remove the hmac-md5 MACs by adding a line to /etc/ssh/sshd_config for RHEL7:
MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
The line for the RHEL6:
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
The line for RHEL5:
MACs hmac-sha1,hmac-ripemd160
- Restart
sshdto apply the changes:
# service sshd restart
Recent Comments