Table of Contents
Ciphers Advisory for SSH, SFTP
First published on February, 2019.
Last edited on January 10, 2024
Nasuni Access Anywhere Server uses OpenSSH to provide SSH access. Included in the configuration is a list of ciphers that can be used to encrypt the SSH traffic between the Access Anywhere and the SSH client that is communicating with it.
The set of ciphers that are considered secure has changed since we installed those libraries. Users may wish to adjust their configurations to constrain the cipher choices to an updated set of secure ciphers.
SSH Server
This procedure should only be attempted if you have console access to your VM. If you make a mistake then it may be impossible to connect to the VM over the network. In that case you will only be able to restore network access if you have console access.
For configuration of the SSH Service make these changes to /etc/ssh/sshd_config
.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
You can validate configuration changes with:
sshd -T
To restart the service:
systemctl restart sshd
SSH Client
You can also change the ciphers and MACs for the SSH client in /etc/ssh/ssh_config
.
Cloud SFTP
If you are using Cloud SFTP the Ciphers and MACs can also be configured.
To find available options
cd /var/www/smestorage/ftpserver/sftpserver ./sme_sftp.py --help
To limit the ciphers and MACs available edit /var/www/smestorage/containers/cloudftp/configs/sftpserver.conf
.
# Example: # supported_ciphers = aes256-ctr, aes192-ctr supported_ciphers = aes256-ctr, aes192-ctr, aes128-ctr # Example: # supported_macs = hmac-sha2-512, hmac-sha2-256 supported_macs = hmac-sha2-512, hmac-sha2-256