Configure secure algorithms

SSHD/SecureAlgorithms

When an SSH client connects to a server, each side offers lists of connection parameters to the other. These parameters are presented below with the corresponding sshd_config keyword:

  • KexAlgorithms: the key exchange methods that are used to generate per-connection keys.

  • HostKey: cryptographic key used for authenticating computers in the SSH protocol.

  • HostkeyAlgorithms: the public key algorithms accepted for an SSH server to authenticate itself to an SSH client.

  • Ciphers: the ciphers to encrypt the connection.

  • MACs: the message authentication codes used to detect traffic modification.

Why you keep only modern and secure Algorithms

The SSH service uses various cryptographic algorithms that specify how to exchange messages between client and server. Those algorithms encrypt the connection, keeping the communication secure and maintaining its integrity. If an SSH server uses weak or deprecated algorithms, their sessions are vulnerable to several types of attacks like man-in-the-middle, downgrade, decryption, and birthday attack. An attacker can obtain credentials and sensitive information in plain text or even execute arbitrary commands on the server. Research discovers new vulnerabilities in existing cryptographic systems; the growth of computing power can deprecate algorithms. Use secure and modern ciphers to avoid any risk. Examples of attacks that abuses those types of flaws:

How to set secure ciphers

The recommended ciphers in this text are reference for modern OpenSSH versions (OpenSSH 6.7+)

You need to add or change a setting at the SSHD configuration file.

Look for Ciphers, KexAlgorithms, HostKeyAlgorithms, HostKey, and MACs at /etc/ssh/sshd_config:

If the output isn’t empty, the argument is present in the file. Edit the file /etc/ssh/sshd_config and replace those current values for:

Recommended values for UBUNTU 20.04

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256

Recommended values for UBUNTU 18.04

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],ssh-ed25519

If the line is commented (contains a leading #), uncomment it removing the leading #.

If the output is empty, this argument could still be defined in a .conf file at /etc/ssh/sshd_config.d/. Check there too.

The /etc/ssh/sshd_config.d/ directory doesn’t exist at Ubuntu 18.04, you only need to check it if you`re using Ubuntu 20.04 or more recent.

Finally, restart the SSHD service:

sudo systemctl restart sshd