How to modify SSH Daemon Key Exchange Algorithms
book
Article ID: CTX273124
calendar_today
Updated On:
Description
It is possible to alter the ADC's SSH Daemon Key Exchange algorithms. This can be done by modifing the sshd_config file. However there are a few caveats to note:
- The sshd_config file should be copied to /nsconfig/ folder in order to persist reboot
- The modified sshd_config file in /nsconfig/ will not apply until reboot; if you want it to apply immediately it needs modified in /etc/sshd_config
- The sshd process needs to be restarted using this command: kill -HUP `cat /var/run/sshd.pid`
Taking those caveats into account, the instructions are as follows:
- Make a backup of the existing sshd_config file: cp /etc/sshd_config /nsconfig/sshd_config_orig
- Edit the /etc/sshd_config file and if the entry "KexAlgorithms" does not exist, add this line to the file; if it does exist, modify it to suit your needs: KexAlgorithms diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
- Save the sshd_config file.
- Restart the daemon using this command: kill -HUP `cat /var/run/sshd.pid`
- Test the results using your security scanner, or you can use NMAP with this command, replacing IP_OF_ADC_NSIP with the NSIP of your ADC: nmap -sV -p 22 --script ssh2-enum-algos IP_OF_ADC_NSIP
- If the NMAP output under the heading "kex_algorithms" lists correct Key Exchanges, then proceed, otherwise restart at step 2.
- Copy the sshd_config file to /nsconfig/ so that it persists after reboot: cp /etc/sshd_config /nsconfig/
Issue/Introduction
How to edit ADC SSHD Key Exchange Algorithms
Additional Information
https://support.citrix.com/article/CTX209398
https://support.citrix.com/article/CTX124551
https://support.citrix.com/article/CTX109011
Was this article helpful?
thumb_up
Yes
thumb_down
No