How To Disable SSH Server Weak Key Exchange Algorithm diffie-hellman-group1-sha1 in Oracle Linux

The diffie-hellman-group1-sha1 key exchange algorithm is considered a weaker algorithm.OpenSSH on Oracle Linux 7 currently supports and enables the algorithm that security/vulnerability scanners such as Qualys may detect as vulnerable.
To ensure optimal security, one should consider disabling weaker OpenSSH key exchange algorithms.
This document describes how to disable the diffie-hellman-group1-sha1 key exchange algorithm within on Oracle Linux 7.
The same process may also be used to disable other algorithms.

Steps to disable Oracle Linux 7 OpenSSH diffie-hellman-group1-sha1 key exchange algorithm

1. Check whether key exchange algorithm diffie-hellman-group1-sha1 is currently enabled:

# sshd -T | egrep -i ^kexalgorithms | grep diffie-hellman-group1-sha1; echo $?
or
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 | grep diffie-hellman-group1-sha1; echo $?


2. Backup original SSH server configuration file e.g.:

# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig


3. Generate and output the default list of supported key exchange algorithms to the SSH server configuration file excluding the diffie-hellman-group1-sha1 algorithm e.g.:

# ssh -Q kex | grep -v 'diffie-hellman-group1-sha1' | tr '\n' ',' >> /etc/ssh/sshd_config


4. Correctly format the newly added entry to the SSH server configuration file i.e.:

  • prepend the resultant kex list with 'KexAlgorithms ' at the last line.
  • remove already deprecated algorithms from the list i.e. gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
  • remove any trailing comma (,) from the last entry in the list

The final entry should appear similar to the following:

# tail -n 1 /etc/ssh/sshd_config
KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org


5. Restart the SSH server

# systemctl restart sshd


6. Verify the diffie-hellman-group1-sha1 key exchange algorithm is disabled now.

# sshd -T | egrep -i ^kexalgorithms | grep diffie-hellman-group1-sha1; echo $?
or
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 | grep diffie-hellman-group1-sha1; echo $?


7. Where applicable, re-run the security scan that originally detected the weakness - it should no longer be reported.

Same can also be done for Ciphers as well.


Reference:Oracle Linux: How To Disable SSH Server Weak Key Exchange Algorithm diffie-hellman-group1-sha1 (Doc ID 2803881.1)



If you like please follow and comment