The security team of my organization told us to disable weak encryption due to the weak keys
arcfour arcfour128 arcfour256
But i tried looking for these ciphers in ssh_config and sshd_config file but found them commented.
grep arcfour * ssh_config:# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Where can i test ciphers from ssh?
If you have no explicit list of ciphers set in
ssh_config using the
Ciphers keyword, then the default value, according to
man 5 ssh_config (client-side) and
man 5 sshd_config (server-side), is.
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, firstname.lastname@example.org,email@example.com, firstname.lastname@example.org, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour
Note the presence of the arcfour ciphers So you may have to explicitly set a more restrictive value for
ssh -Q cipher from the client will tell you which schemes your client can support. Note that this list is not affected by the list of ciphers specified in
ssh_config . Removing a cipher from
ssh_config will not remove it from the output of
ssh -Q cipher . Furthermore, using
ssh with the
-c option to explicitly specify a cipher will override the restricted list of ciphers that you set in
ssh_config and possibly allow you to use a weak cipher. This is a feature that allows you to use your
ssh client to communicate with obsolete SSH servers that do not support the newer stronger ciphers.
nmap --script ssh2-enum-algos -sV -p <port> <host> will tell you which schemes your server supports.