Configure Strong Ciphers for SSH | Debian Linux

By | 2016/10/15

OpenSSH server has fairly weak ciphers by default on Debian Linux. Here is an example of how to tighten security specifying stronger ciphers!


1. For Debian jessie or later (OpenSSH 6.7+), edit the file /etc/ssh/sshd_config

In this file, comment out weak vulnerable ssh host keys, leaving only the strongest enabled.

Also specify the strongest algorithms, ciphers, and MACs.

Note: If one requires older ssh clients to connect, optionally leave ssh_host_rsa_key enabled as well.

Protocol 2
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com


2. On Debian, one can optionally disable broadcasting the Debian banner as well if desired

DebianBanner no


3. Restart ssh

sudo service ssh restart


Done!


(Optional)

Audit your ssh server security with this nifty app:

https://github.com/arthepsy/ssh-audit

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.