How to modify SSH Daemon Key Exchange Algorithms

How to modify SSH Daemon Key Exchange Algorithms

book

Article ID: CTX273124

calendar_today

Updated On:

Description

It is possible to alter the ADC's SSH Daemon Key Exchange algorithms. This can be done by modifing the sshd_config file. However there are a few caveats to note:

  1. The sshd_config file should be copied to /nsconfig/ folder in order to persist reboot
  2. The modified sshd_config file in /nsconfig/ will not apply until reboot; if you want it to apply immediately it needs modified in /etc/sshd_config
  3. The sshd process needs to be restarted using this command: kill -HUP `cat /var/run/sshd.pid`
Taking those caveats into account, the instructions are as follows:
  1. Make a backup of the existing sshd_config file: cp /etc/sshd_config /nsconfig/sshd_config_orig
  2. Edit the /etc/sshd_config file and if the entry "KexAlgorithms" does not exist, add this line to the file; if it does exist, modify it to suit your needs: KexAlgorithms diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
  3. Save the sshd_config file.
  4. Restart the daemon using this command: kill -HUP `cat /var/run/sshd.pid`
  5. Test the results using your security scanner, or you can use NMAP with this command, replacing IP_OF_ADC_NSIP with the NSIP of your ADC: nmap -sV -p 22 --script ssh2-enum-algos IP_OF_ADC_NSIP
  6. If the NMAP output under the heading "kex_algorithms" lists correct Key Exchanges, then proceed, otherwise restart at step 2.
  7. Copy the sshd_config file to /nsconfig/ so that it persists after reboot: cp /etc/sshd_config /nsconfig/

Issue/Introduction

How to edit ADC SSHD Key Exchange Algorithms

Additional Information

https://support.citrix.com/article/CTX209398
https://support.citrix.com/article/CTX124551
https://support.citrix.com/article/CTX109011