# Ciphers Advisory for SSH, SFTP

#### First published on February, 2019.

#### Last edited on January 10, 2024

Nasuni Access Anywhere Server uses OpenSSH to provide SSH access.  Included in the configuration is a list of ciphers that can be used to encrypt the SSH traffic between the Access Anywhere and the SSH client that is communicating with it.

The set of ciphers that are considered secure has changed since we installed those libraries.  Users may wish to adjust their configurations to constrain the cipher choices to an updated set of secure ciphers. 

## SSH Server

<WRAP center round important 60%>
This procedure should only be attempted if you have console access to your VM.  If you make a mistake then it may be impossible to connect to the VM over the network. In that case you will only be able to restore network access if you have console access.
</WRAP>

For configuration of the SSH Service make these changes to `/etc/ssh/sshd_config`.

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

You can validate configuration changes with:

    sshd -T

To restart the service:

    systemctl restart sshd

## SSH Client

You can also change the ciphers and MACs for the SSH client in `/etc/ssh/ssh_config`
.
## Cloud SFTP

If you are using [[https://docs.storagemadeeasy.com/server/sftpsetup|Cloud SFTP]] the Ciphers and MACs can also be configured.

To find available options

    cd /var/www/smestorage/ftpserver/sftpserver
    ./sme_sftp.py --help

To limit the ciphers and MACs available edit `/var/www/smestorage/containers/cloudftp/configs/sftpserver.conf`.

    # Example:
    # supported_ciphers = aes256-ctr, aes192-ctr
    supported_ciphers = aes256-ctr, aes192-ctr, aes128-ctr

    # Example:
    # supported_macs = hmac-sha2-512, hmac-sha2-256
    supported_macs = hmac-sha2-512, hmac-sha2-256