Below are the steps to disable weak ciphers on an SSH server. This configuration is frequently flagged during vulnerability scans.
R81.10+ version
Log in to the command line on the Gaia OS.
Enter Clish mode.
View the currently enabled KEX algorithms using the command:
"show ssh server kex enabled"
Disable the weak algorithm:
"set ssh server kex diffie-hellman-group1-sha1 off"
Save the configuration permanently:
"save config"
R81 and lower versions
1. Connect to the command line on Gaia OS.
2. Log in to the Expert mode.
3. Back up the current /etc/ssh/sshd_config file:
cd /etc/ssh
cp sshd_config sshd_config_BCK1
4. Edit the current /etc/ssh/sshd_config file:
vi /etc/ssh/sshd_config
5. Set the required Key Exchange method as the value of the "KexAlgorithms" parameter.
Find:
KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sha1
Replace with:
#KexAlgorithms +diffie-hellman-group1-sha1
#KexAlgorithms +diffie-hellman-group-exchange-sha1
KexAlgorithms +diffie-hellman-group16-sha512
KexAlgorithms +diffie-hellman-group14-sha256
6. Save the changes in the file and exit Vi editor.
7. Restart the SSH service:
service sshd restart
