How to fix SSH Weak Key Exchange Algorithms Enabled
Key exchange algorithms are cryptographic protocols used to securely exchange cryptographic keys between parties in a way that ensures confidentiality, even if the communication is intercepted. These algorithms are fundamental to establishing secure communication channels.
The Linux machines may have some pre-defined Key Exchange Algorithms (KexAlgorithm) defined.
NOTE: It may be possible that the config file doesn’t have it defined. In this case, we will have to override the default algorithms by manually defining it in the file.
Pre-requisite
Step 1: Log in to the server. Please ensure that this user should have the sudo privilege.
Step 2: Switch to the root account.
sudo su
Step 3: Go to the following path.
cd /etc/ssh/
Step 4: Ensure that “sshd_config” file is present.
ls
Step 5: Check the algorithms currently in use.
sudo sshd -T | grep -E "(ciphers|macs|kexalgorithms)"
How to fix
Step 1: Log in to the server. Please ensure that this user should have the sudo privilege.
Step 2: Switch to the root account.
sudo su
Step 3: Create a backup of the existing sshd .config file.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Step 4: Edit “/etc/ssh/sshd_config” file with any text editor.
Step 5: Add the following lines in the Ciphers section of the file:
kexalgorithms curve25519- sha256.curve25519-sha256@libssh.org.ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Step 6: Save the changes.
Step 7: Restart the service.
sudo systemctl restart sshd
Step 8: Run the command and check if the target algorithms are removed.
sudo sshd -T | grep -E "(ciphers|macs|kexalgorithms)"
Rollback:
Step 1: If the change must be reverted, use the following commands to restore the backup file.
mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
Step 2: Restart the service.
sudo systemctl restart sshd