SSH connections rely on encryption ciphers to secure data between clients and servers. Choosing the right cipher can impact both security and performance. In some cases, you may need to change the default ciphers to meet specific security requirements or to improve connection speed.
To change the SSH ciphers, adjustments need to be made on both the client and server sides. This ensures compatibility and maintains the security of the connection. The process involves selecting appropriate ciphers, modifying configuration files, and testing the connection.
Select ciphers that balance security and performance. Strong ciphers like aes256-ctr offer high security but may reduce speed. Faster ciphers like aes128-ctr improve performance but may offer less security. Make sure both the client and server support the selected ciphers to avoid connection issues. Regularly update ciphers to follow current security best practices.
Steps to change SSH ciphers on the server
- Check the available ciphers on the SSH server.
$ ssh -Q cipher
This command lists all ciphers supported by the SSH server. Review this list to choose the ciphers that best meet your security and performance needs.
- Open the sshd_config file on the server.
$ sudo nano /etc/ssh/sshd_config
Use a text editor like nano or vi to edit the configuration file. The sshd_config file controls the settings for the SSH daemon on the server.
- Specify the preferred ciphers using the Ciphers directive.
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305
Add or modify the `Ciphers` directive in sshd_config. List the preferred ciphers in order of priority. Stronger ciphers should be listed first.
- Restart the SSH service to apply the changes.
$ sudo systemctl restart ssh
Restarting the SSH service applies the changes made to the configuration file. If your system uses init.d instead of systemd, use `sudo service ssh restart`.
Steps to change SSH ciphers on the client
- Edit the ssh_config file on the client.
$ nano ~/.ssh/config
If the config file does not exist in the ~/.ssh directory, create it. You can also modify the global configuration file located at `/etc/ssh/ssh_config`.
- Match the ciphers in the client configuration with the server.
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305
Ensure that the ciphers listed in the client’s ssh_config file match those configured on the server. This ensures compatibility during the connection process.
- Test the connection to verify that the new ciphers are working.
$ ssh -v user@hostname
The `-v` option enables verbose mode, providing detailed output during the connection process, including the cipher being used.
- If the connection fails, revert to the default ciphers by removing the Ciphers directive.
Comment out or delete the `Ciphers` directive in both the server and client configuration files to revert to the default settings and restore connection functionality.
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.