To remediate weak SSH key exchange algorithms on Citrix ELM appliance version 2503, follow the steps below:

1. Identify Weak Key Exchange Algorithms

Algorithms such as diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 are considered weak and should be disabled.

2. Modify SSH Configuration Files

Connect to ELM Appliance using tools like WinSCP, locate and open the following configuration files using a text editor:

• /etc/crypto-policies/back-ends/opensshserver.config
• /etc/ssh/sshd_config
   

3. Edit the Configuration to Disable Weak Algorithms

Remove weak algorithms such as diffie-hellman-group-exchange-sha1.

Example:

Change this:

KexAlgorithms diffie-hellman-group-exchange-sha1,curve25519-sha256@libssh.org

To this:

KexAlgorithms curve25519-sha256@libssh.org

4. Add Stronger Key Exchange Algorithms

Examples of stronger algorithms:

• curve25519-sha256@libssh.org
• ecdh-sha2-nistp256
   

Update the KexAlgorithms line to include only strong, approved options.

5. After saving changes to the configuration files, restart the SSH service to apply changes.

Use one of the following commands :

• sudo systemctl restart sshd
• sudo service sshd restart

The steps provided in this article should be followed with caution. Always back up your configuration files before making any changes to prevent system misconfigurations.

This article provides steps to disable weak SSH key exchange algorithms like diffie-hellman-group-exchange-sha1 on Citrix ELM Appliance. It guides users through locating configuration files, editing them to remove insecure algorithms, and restarting the SSH service to apply changes.

Configuring System Cryptographic Policies: https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ConfiguringSystemCryptograpicPolicies.html