Applies to: All versions of Centrify DirectControl
Question:
Does Centrify have any documentation that would help understand which Encryption Ciphers are set in centrify-sshd and whether they are vulnerable or not.
Answer:
Check the SSH daemon configuration file for allowed ciphers.
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'
If no lines are returned centrify-sshd is using the default ciphers and the returned lines are a list of ciphers configured for the daemon.
From the sshd_config man page:
Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated.
The supported ciphers are "3des-cbc", "aes128-cbc", "aes192-cbc", "aes256-cbc",
"aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour128", "arcfour256", "arcfour", "blowfish-cbc",
and "cast128-cbc". The default is ''aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour''
1. Centrify openssh ships with openssh default. So Ciphers can be set as fit for the environment.
2. Centrify does not make any modification to this part. It is entirely the same as the openssh stock distro.
3. The setting is a list of ciphers supported by sshd. It has to be negotiated with the ssh client. Only mutually understood ciphers can be selected/used.
4. aes<> encryption is an accepted secure algorithm.
It is up to the administrators own prerogative which to use - as long as it is supported by both sshd and the client.
