Ciphers Advisory for SSH, SFTP

First published on February, 2019.

Last edited on January 10, 2024

Nasuni Access Anywhere Server uses OpenSSH to provide SSH access. Included in the configuration is a list of ciphers that can be used to encrypt the SSH traffic between the Access Anywhere and the SSH client that is communicating with it.

The set of ciphers that are considered secure has changed since we installed those libraries. Users may wish to adjust their configurations to constrain the cipher choices to an updated set of secure ciphers.

SSH Server

This procedure should only be attempted if you have console access to your VM. If you make a mistake then it may be impossible to connect to the VM over the network. In that case you will only be able to restore network access if you have console access.

For configuration of the SSH Service make these changes to /etc/ssh/sshd_config.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

You can validate configuration changes with:

sshd -T

To restart the service:

systemctl restart sshd

SSH Client

You can also change the ciphers and MACs for the SSH client in /etc/ssh/ssh_config .

Cloud SFTP

If you are using Cloud SFTP the Ciphers and MACs can also be configured.

To find available options

cd /var/www/smestorage/ftpserver/sftpserver
./sme_sftp.py --help

To limit the ciphers and MACs available edit /var/www/smestorage/containers/cloudftp/configs/sftpserver.conf.

# Example:
# supported_ciphers = aes256-ctr, aes192-ctr
supported_ciphers = aes256-ctr, aes192-ctr, aes128-ctr

# Example:
# supported_macs = hmac-sha2-512, hmac-sha2-256
supported_macs = hmac-sha2-512, hmac-sha2-256