Minor change to SSH settings

Posted January 6th, 2017 in System Status, Tech Corner. Tags: .

We’re making a minor technical change to the SSH settings our servers use, removing obsolete and insecure ciphers like “3des-cbc”.

The changes are required to ensure that sites we host pass PCI compliance scans. The obsolete ciphers allowed SSH connections that appeared to be secure, but really weren’t.

This should not affect anything for our customers who use SSH, as long as you use modern, updated SSH software. We’re just documenting it in case anyone has difficulties with SSH connections.

If you do have any trouble, the solution is almost certainly to update your SSH client software, though — the program you’re using is probably pretty outdated and may also have trouble connecting to other servers, not just ours.

As always, don’t hesitate to contact us if you have any trouble or questions.

Can you provide more technical details?

If you’re an expert in SSH and wondering precisely what has been disabled and what is available, here’s a list:

Disabled items

These are ciphers, etc., that we no longer support:

Disabled KexAlgorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Disabled Ciphers: 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, arcfour128, arcfour256

Disabled MACs: hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-md5-etm@openssh.com, hmacmd5-96-etm@openssh.com, hmac-sha1-etm@openssh.com, hmacsha1-96-etm@openssh.com, umac-64-etm@openssh.com

Enabled items

These are ciphers, etc., that you can use. Your SSH software should work as long as it supports at least one in each group:

KexAlgorithms: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256

Ciphers: aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc

MACs: umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-ripemd160-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160

  1. Recent Posts

    1. PHP versions 8.1.30, 8.2.24, and 8.3.12
    2. MariaDB (MySQL) database server update from 10.5 to 10.11 (completed)
    3. Labor Day 2024 holiday hours
    4. PHP versions 8.2.22 and 8.3.10
    5. WordPress 6.6
    6. PHP versions 8.1.29, 8.2.21, and 8.3.9
    7. 4th of July 2024 holiday hours
    8. Memorial Day 2024 holiday hours
    9. PHP versions 8.2.19 and 8.3.7
    10. PHP versions 8.1.28, 8.2.18, and 8.3.6

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds