In this release we have made it possible to configure a stricter set of encryption ciphers for SSH. SSH can use a wide collection of algorithms to secure the connection between your client and the server. Over time some of those ciphers have become outdated and could be regarded as weak. Especially CBC ciphers have been advised against in favor of CTR mode ciphers.
In practice this is rarely a problem because exploiting these weaknesses is non-trivial. Since OpenSSH version 5.2 the “Plaintext Recovery Attack Against SSH” vulnerability also known as CPNI-957037 has become infeasible. On top of that, the client will always negotiate an appropriate algorithm with the server anyway, making it unlikely that any of the less-prefered ciphers would be used.
Yet there is still a good reason why you might want to disable everything but the strongest ciphers. Various security scans and audits will mark the availability of deprecated ciphers as a problem. For example, for PCI-DSS strict standards are maintained.
Like the stricter SSL cipher suite on Hypernode, configuring stricter SSH ciphers can be configured by our support department.
To check if this feature is enabled on your Hypernode you can inspect the /etc/ssh/sshd_config file:
Not enabled (default)
$ grep Cipher /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.seEnabled (via support)
$ grep Cipher /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctrWe will not enable strict ciphers by default to retain compatibility with older SSH clients. If you wish to switch between the normal and strict settings, please contact us at support@byte.nl.