-1

I would like to disable 'diffie-hellman-group1-sha1' and 'diffie-hellman-group-exchange-sha1' key exchange algorithms on my OpenSSH. I edited /etc/ssh/sshd_config and added this line: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256

After this I restarted SSH by command -> 'service sshd restart'

Now, when I run command 'ssh -Q kex', the output is still: diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org gss-gex-sha1- gss-group1-sha1- gss-group14-sha1-

Why didn't do any changes? Did I do something wrong?

V1har
  • 7
  • 1
  • 3
  • Stackoverflow is for help with software development. You should consider asking this on [unix.se], [sf], or [su]. – Kenster Feb 06 '18 at 14:48

2 Answers2

-1

I believe "ssh -Q kex" shows all Key Exchange Algorithms that are available: not necessarily just that algorithms that are configured for use in any given situation. Consider, in ssh_config, one can designate a specific set of Key Exchange Algorithms to be used with a particular host. How would "ssh -Q kex" know which host is of interest? Also, I have configured /etc/ssh/ssh_config, ~/.ssh/config, or even /etc/ssh/sshd_config, to specify that certain Key Exchange Algorithms be enabled or disabled. In my experience, "ssh -Q kex" does not reflect the changes.

I have had better luck by actually attempting to log into a specific ssh host/server using ssh -vv or ssh -vvv, and then reviewing what my client and the server are each offering for use in key exchange. After configuring the appropriate config file or after adding "-o kex=specific_key_exchange_algorithm" to the ssh command line, I do see the changes reflected in "debug" messages reported. YMMV. I hope this helps someone even if the answer is rather late with respect to the original poster's question.

C. B. Edgar
  • 1
  • 3
-1

ssh shows keys used by SSH Client on the machine, and sshd shows keys used by SSH Server on the machine.

You have modified the file /etc/ssh/sshd_config that is leveraged by sshd.

Try using sshd -T.

Ralf
  • 16,086
  • 4
  • 44
  • 68
Ankit Sharma
  • 413
  • 1
  • 4
  • 9