Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2757: SSHD security cipher configuration

Authentication Service ,  

12 April,16 at 10:59 AM

Applies to: All versions of Centrify DirectControl
Does Centrify have any documentation that would help understand which Encryption Ciphers are set in centrify-sshd and whether they are vulnerable or not.

Check the SSH daemon configuration file for allowed ciphers.
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'
If no lines are returned centrify-sshd is using the default ciphers and the returned lines are a list of ciphers configured for the daemon. 

From the sshd_config man page:

     Specifies the ciphers allowed for protocol version 2.  Multiple ciphers must be comma-separated.  
     The supported ciphers are "3des-cbc", "aes128-cbc", "aes192-cbc", "aes256-cbc",
     "aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour128",  "arcfour256", "arcfour", "blowfish-cbc", 
     and "cast128-cbc".  The default is ''aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,  
     aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour''

1. Centrify openssh ships with openssh default. So Ciphers can be set as fit for the environment.
2. Centrify does not make any modification to this part. It is entirely the same as the openssh stock distro.
3. The setting is a list of ciphers supported by sshd. It has to be negotiated with the ssh client. Only mutually understood ciphers can be selected/used.
4. aes<> encryption is an accepted secure algorithm.

It is up to the administrators own prerogative which to use - as long as it is supported by both sshd and the client.