Deprecated SSH Crytographic settings QID 38739

James Row

Member
Aug 8, 2017
5
0
1
USA
cPanel Access Level
Root Administrator
Our security scanner Qualys reported the vulnerability “Deprecated SSH Cryptographic Settings”

The scan report provided description of the threat posed by the vulnerability, recommendation for correcting the problem and the result which shows how Qualys verified the vulnerability.

Vulnerability : Deprecated SSH Cryptographic Settings
QID: 38739
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another.The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.



I tried the solution at this page, but adding these entries to /etc/ssh/sshd_config caused an error.

Any suggestions?

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]

Kexalgorithms diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,[email protected],gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
4,151
525
273
cPanel Access Level
Root Administrator
Hey there! I confirmed on my end that configuration isn't valid. While the "Ciphers" and "Kexalgorithms" settings are valid options within the configuration, it doesn't seem to like some of the values in those strings.

More details can be found directly from the source here:


but it would be good if Qualys let you know specifically which methods they don't like so you could create a custom cipher/key string for your system.

You may also want to check that the SSH package is up to date on the system by running a "yum update" on the command line.