https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/269584#M45294 <P>Note that on versions which don't have the 'set ssh server' options in clish, the /etc/ssh/sshd_config is overwritten by certain changes in clish. This may undo changes you make to it. To work around this, you can make the changes in&nbsp;/etc/ssh/templates/sshd_config.templ, though that may be overwritten when installing a jumbo.</P> Tue, 03 Feb 2026 15:41:03 GMT Bob_Zimmerman 2026-02-03T15:41:03Z https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/268650#M45109 <DIV>Below are the steps to disable weak ciphers on an SSH server. This configuration is frequently flagged during vulnerability scans.</DIV> <P>&nbsp;</P> <P>R81.10+ version</P> <P>Log in to the command line on the Gaia OS.<BR />Enter Clish mode.<BR />View the currently enabled KEX algorithms using the command: <BR />"show ssh server kex enabled"<BR />Disable the weak algorithm: <BR />"set ssh server kex diffie-hellman-group1-sha1 off"<BR />Save the configuration permanently: <BR />"save config"</P> <P>R81 and lower versions</P> <P>1. Connect to the command line on Gaia OS.<BR />2. Log in to the Expert mode.<BR />3. Back up the current /etc/ssh/sshd_config file:<BR />cd /etc/ssh<BR />cp sshd_config sshd_config_BCK1<BR /><BR />4. Edit the current /etc/ssh/sshd_config file:<BR /><BR />vi /etc/ssh/sshd_config<BR /><BR /><BR />5. Set the required Key Exchange method as the value of the "KexAlgorithms" parameter.<BR /><BR />Find:<BR />KexAlgorithms +diffie-hellman-group1-sha1<BR />KexAlgorithms +diffie-hellman-group-exchange-sha1<BR /><BR />Replace with:<BR /><BR />#KexAlgorithms +diffie-hellman-group1-sha1<BR />#KexAlgorithms +diffie-hellman-group-exchange-sha1<BR />KexAlgorithms +diffie-hellman-group16-sha512<BR />KexAlgorithms +diffie-hellman-group14-sha256<BR /><BR />6. Save the changes in the file and exit Vi editor.<BR /><BR />7. Restart the SSH service:<BR /><BR />service sshd restart</P> Mon, 26 Jan 2026 16:32:22 GMT https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/268650#M45109 Gaurav_Pandya 2026-01-26T16:32:22Z https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/268680#M45111 <P>Excellent stuff, thanks for that&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8251">@Gaurav_Pandya</a>&nbsp;</P> Tue, 27 Jan 2026 00:15:31 GMT https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/268680#M45111 the_rock 2026-01-27T00:15:31Z https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/269370#M45219 <P>Just tried this in R82 lab, worked great.</P> Sun, 01 Feb 2026 16:52:35 GMT https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/269370#M45219 the_rock 2026-02-01T16:52:35Z https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/269584#M45294 <P>Note that on versions which don't have the 'set ssh server' options in clish, the /etc/ssh/sshd_config is overwritten by certain changes in clish. This may undo changes you make to it. To work around this, you can make the changes in&nbsp;/etc/ssh/templates/sshd_config.templ, though that may be overwritten when installing a jumbo.</P> Tue, 03 Feb 2026 15:41:03 GMT https://community.checkpoint.com/t5/General-Topics/How-to-edit-modify-weak-ciphers-for-SSH-server/m-p/269584#M45294 Bob_Zimmerman 2026-02-03T15:41:03Z