List and Secure Your SSH MACs Ciphers and KexAlgorithms for Enhanced Security

List and secure your SSH MACs Ciphers and KexAlgorithms

Learn how to list and secure your SSH MACs, Ciphers, and KexAlgorithms for enhanced security. This guide provides step-by-step instructions for checking and configuring these vital components of SSH connections.

Table of Contents

Introduction

SSH (Secure Shell) has become the go-to protocol for securely managing remote systems. It provides secure communication by encrypting the data in transit, which ensures confidentiality and integrity. However, the underlying security of an SSH connection depends heavily on the cryptographic methods it employs. These methods, including MACs (Message Authentication Codes), Ciphers, and KexAlgorithms (Key Exchange Algorithms), all play essential roles in the security and integrity of an SSH connection.

In this detailed guide, we will explain what MACs, Ciphers, and KexAlgorithms are, why they matter, and how to find and list the supported algorithms in your SSH setup. We will also dive deep into best practices for securing your SSH connections by ensuring you are using only the most up-to-date and secure algorithms.

Why You Need to Understand SSH Algorithms

Understanding the cryptographic algorithms used in SSH connections is vital for a variety of reasons:

  • Security: The strength of your encryption and authentication relies on using strong, up-to-date algorithms.
  • Compliance: Many organizations and regulations require the use of modern cryptographic standards. By ensuring the right algorithms are in place, you can achieve compliance.
  • Prevention of Attacks: Weak or outdated algorithms can make your system susceptible to various attacks, including man-in-the-middle attacks, brute-force attacks, and eavesdropping.

The cryptographic algorithms used in SSH fall into three main categories:

  • MACs (Message Authentication Codes): Ensure the integrity of the message.
  • Ciphers: Encrypt the data to ensure its confidentiality.
  • KexAlgorithms (Key Exchange Algorithms): Establish the secure connection by allowing the client and server to agree on a shared secret key.

With this in mind, let’s explore how to find and list the algorithms on your SSH server or client and how to configure them for optimal security.

SSH algorithms SSH Ciphers SSH MACs KexAlgorithms

Photo by admingeek from Infotechys

What are MACs, Ciphers, and KexAlgorithms?

Before we dive into the practical steps of listing and configuring algorithms, it’s essential to understand what these cryptographic components are and why they matter.

1. Message Authentication Codes (MACs)

A MAC is used to verify the authenticity and integrity of the data. It ensures that the data hasn’t been tampered with during transmission. A MAC is generated by applying a cryptographic hash function (like SHA) to the data and a shared secret key.

In SSH, MACs are crucial because they protect against tampering and ensure that the data sent and received has not been altered by an attacker.

Common MAC Algorithms in SSH:

  • hmac-sha2-256
  • hmac-sha2-512
  • hmac-sha1

2. Ciphers

A Cipher is an encryption algorithm that is used to encrypt the data to ensure confidentiality. The purpose of a cipher is to make the data unreadable to anyone who doesn’t have the proper key to decrypt it.

The strength of an SSH cipher determines how well your connection is protected from eavesdropping. The stronger the cipher, the more difficult it is for an attacker to decrypt the traffic.

Common Cipher Algorithms in SSH:

  • aes128-ctr
  • aes256-ctr
  • aes128-cbc
  • aes192-ctr

3. Key Exchange Algorithms (KexAlgorithms)

Key exchange algorithms are responsible for securely establishing a shared key between the client and server. They ensure that both parties have a common key they can use to encrypt and decrypt data.

A weak key exchange algorithm can expose your SSH connection to interception and man-in-the-middle attacks. That’s why it’s essential to choose secure key exchange algorithms.

Common KexAlgorithms in SSH:

  • diffie-hellman-group14-sha1
  • ecdsa-sha2-nistp256
  • diffie-hellman-group14-sha256

How to List SSH MACs, Ciphers, and KexAlgorithms

Knowing which algorithms your SSH server or client supports is the first step in ensuring you have a secure configuration. Below are several methods for finding and listing supported algorithms on your system.

1. Listing Supported Algorithms Locally Using SSH Client

If you’re on a local machine and want to check which algorithms your SSH client supports, you can easily do so using the built-in ssh command.

List Supported Ciphers:

Run the following command to list the ciphers supported by your SSH client:

				
					ssh -Q cipher

This will output a list of supported ciphers, such as:

				
					3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

List Supported MACs:

To list the available Message Authentication Codes (MACs) that your client supports:

				
					ssh -Q mac

You might see output like:

List Supported KexAlgorithms:

To view the key exchange algorithms supported:

				
					hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
				
			
				
					ssh -Q kex

Example output:

				
					diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com

These commands are helpful when you want to confirm which algorithms are available on your local machine’s SSH client.

2. Remotely Listing Supported Algorithms with Nmap

If you need to check the supported algorithms of a remote SSH server, you can use the nmap tool. Nmap is a powerful network scanner that can also be used to probe remote servers for SSH configuration. To scan a remote server for supported algorithms, you can use the following nmap command:

				
					nmap --script ssh2-enum-algos -p <port> <hostname>

For example, to scan a server running SSH on port 22:

				
					nmap --script ssh2-enum-algos -p 22 example.com

Sample output:

				
					Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-08 14:45 UTC
Nmap scan report for example.com (192.168.1.100)
Host is up (0.0010s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   Ciphers:
|     aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc
|   MACs:
|     hmac-sha2-256, hmac-sha2-512, hmac-sha1
|   Key Exchange Algorithms:
|     diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, ecdsa-sha2-nistp256

This output shows which algorithms are supported by the remote SSH server, including ciphers, MACs, and key exchange algorithms. It is an effective way to audit a remote SSH server’s security posture.

3. Check SSH Configuration Files on the Server

On the server side, the SSH configuration file defines which algorithms are enabled. This file is typically located at /etc/ssh/sshd_config. To view or modify the list of allowed algorithms, follow these steps:

Edit the SSH Configuration File:

				
					sudo vim /etc/ssh/sshd_config

Look for lines that define the algorithms, such as (if they don’t exist, add them):

  • Ciphers
  • MACs
  • KexAlgorithms

Example Configuration:

				
					# Specify Ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

# Specify MACs
MACs hmac-sha2-256,hmac-sha2-512

# Specify KexAlgorithms
KexAlgorithms diffie-hellman-group14-sha256,ecdsa-sha2-nistp256

Restart SSH service:

After making changes to the configuration file, restart the SSH service to apply them:

				
					sudo systemctl restart sshd

This ensures that only the specified algorithms are used for secure communication.

Best Practices to Secure Your SSH Ciphers and KexAlgorithms

Now that you know how to check and list the algorithms used by SSH, let’s look at some best practices for securing your SSH configuration. These recommendations will help you ensure your SSH connections are protected against vulnerabilities.

1. Disable Weak Algorithms

Many older cryptographic algorithms have known vulnerabilities. It’s essential to disable these weak algorithms and only use strong, modern ones.

Example: Disabling Weak Ciphers

For example, to disable weak ciphers like 3DES or RC4, modify the sshd_config file to only allow strong ciphers like AES-CTR.

				
					Ciphers aes128-ctr,aes192-ctr,aes256-ctr

2. Use Elliptic Curve Algorithms

Elliptic Curve Cryptography (ECC) provides better security with smaller key sizes. ECDSA and Curve25519 are much stronger and more efficient than traditional RSA and Diffie-Hellman algorithms.

Example Configuration:

				
					KexAlgorithms ecdsa-sha2-nistp256,curve25519-sha256

3. Enforce Strong Key Exchange Algorithms

Always use modern key exchange algorithms like diffie-hellman-group14-sha256 or ecdsa-sha2-nistp256 to ensure the confidentiality of the key exchange.

4. Regularly Update Your SSH Configuration

Cryptographic algorithms evolve over time, with vulnerabilities being discovered in older algorithms. Regularly audit and update your SSH configuration to ensure you’re using the most secure options available.

Conclusion

By understanding and controlling the MACs, Ciphers, and KexAlgorithms used by your SSH servers and clients, you can significantly enhance the security of your SSH connections. Following the steps outlined in this guide, you can easily list the algorithms, audit your SSH configuration, and make necessary changes to secure your systems.

Keep in mind that SSH is just one part of a robust security strategy, but securing it properly by using strong, up-to-date cryptographic algorithms is essential for protecting your sensitive data.

Did you find this article useful? Your feedback is invaluable to us! Please feel free to share your thoughts in the comments section below.

Related Posts
Generate SSH Keys
Commands
How to Generate SSH Keys

In this comprehensive guide, we’ll walk you through the process of generating SSH keys, empowering you to enhance the security of your digital interactions. Table

Read More »
Tags
Ansible (25) Apache (8) Artificial Intelligence (8) Automation (34) Big Data (4) Blockchain (4) CentOS (160) Cloud Computing (3) Containers (12) Database (7) Debian (42) DevOps (6) Docker (11) Fedora (10) Git (3) HOWTO (241) Information Technology (4) Install (121) Jenkins (6) Kali Linux (4) Kubernetes (20) KVM (6) LAMP (5) Linux (271) Linux commands (162) mariaDB (4) Minikube (6) mysql (9) nmcli (4) Podman (14) Postgres (3) Postgresql (4) Python (8) RHCSA Exam (10) RHEL (180) Scripting (4) SSH (4) Technology (11) Text Editor (10) Ubuntu (65) Upgrade (4) vim (3) VirtualBox (3) Virtualization (4) Zabbix (6)

Leave a Reply

Your email address will not be published. Required fields are marked *