To remediate weak SSH key exchange algorithms on Citrix ELM appliance version 2503, follow the steps below:
1. Identify Weak Key Exchange Algorithms
Algorithms such as diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 are considered weak and should be disabled.
2. Modify SSH Configuration Files
Connect to ELM Appliance using tools like WinSCP, locate and open the following configuration files using a text editor:
3. Edit the Configuration to Disable Weak Algorithms
Remove weak algorithms such as diffie-hellman-group-exchange-sha1.
Example:
Change this:
KexAlgorithms diffie-hellman-group-exchange-sha1,curve25519-sha256@libssh.org
To this:
KexAlgorithms curve25519-sha256@libssh.org
4. Add Stronger Key Exchange Algorithms
Examples of stronger algorithms:
Update the KexAlgorithms line to include only strong, approved options.
5. After saving changes to the configuration files, restart the SSH service to apply changes.
Use one of the following commands :
The steps provided in this article should be followed with caution. Always back up your configuration files before making any changes to prevent system misconfigurations.
This article provides steps to disable weak SSH key exchange algorithms like diffie-hellman-group-exchange-sha1 on Citrix ELM Appliance. It guides users through locating configuration files, editing them to remove insecure algorithms, and restarting the SSH service to apply changes.
Configuring System Cryptographic Policies: https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ConfiguringSystemCryptograpicPolicies.html