This article is a quick note on how to improve OpenSSH server security on Redhat Enterprise Linux and CentOS 6 and 7. This is not about Passwords-v-Keys (use keys, not passwords) but rather hashes, encryption and key exchanges.
The “/etc/ssh/sshd_config” file should have the following added to it to ensure weaker standards are not used.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[email protected] KexAlgorithms diffie-hellman-group-exchange-sha256 HostKey /etc/ssh/ssh_host_rsa_key RSAAuthentication yes # DSAAuthentication no # Disabling this will disable other things too.
Make sure to do this safely. In my experience, setting invalid settings on the OpenSSH server doesn’t kill the current session. But be careful because your server might be different.
The above change requires the SSH server to be restarted.