SSH ciphers and encryption algorithms


#1

Hello,

I am wondering if there is any easy way to set the ciphers and MACs used by the ssh service that Vyatta configures? I am using Vyatta Community Ed 6.6.

I could not find any option to set these properties (normally they would be set in the sshd_config file with the directives ‘Ciphers’ and ‘MACs’). By default some weak MACs are enabled such as md5 and I would like to be able to disable these.

Alternatively, is it possible to edit the sshd_config file directly on the vyatta machine to achieve the same thing?

Thanks


#2

Hi everyone,

Turns out its easier than I thought and I’m sharing my solution below after reading up about some other interesting posts about extending vyatta:

http://forum.vyos.net/showthread.php?tid=6363&pid=7611

I ended up extending Vyatta by adding the options for ciphers and macs into the ssh service:

sudo su -
cd /opt/vyatta/share/vyatta-cfg/templates/service/ssh
mkdir ciphers
mkdir macs

Contents of ciphers/node.def:

type: txt
help: Specifies the ciphers allowed for protocol version 2.  Multiple ciphers must be comma-separated. See 'man sshd_config' for supported ciphers.

create: sudo sed -i -e '$ a \
Ciphers $VAR(@)' /etc/ssh/sshd_config

delete: sudo sed -i -e '/^Ciphers $VAR(@)$/d' /etc/ssh/sshd_config

update: sudo sed -i -e '/^Ciphers/c \
Ciphers $VAR(@)' /etc/ssh/sshd_config

Contents of macs/node.def:

type: txt
help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'man sshd_config' for supported MACs.

create: sudo sed -i -e '$ a \
MACs $VAR(@)' /etc/ssh/sshd_config

delete: sudo sed -i -e '/^MACs $VAR(@)$/d' /etc/ssh/sshd_config

update: sudo sed -i -e '/^MACs/c \
MACs $VAR(@)' /etc/ssh/sshd_config

Then to set the ciphers and macs for SSH server:

set service ssh ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
set service ssh macs hmac-sha1,hmac-ripemd160
commit

Ive tested the above and it seems to set the /etc/ssh/sshd_config file correctly so hopefully this achieves what I was aiming for.

Cheers