Summary

This article describes how to configure the BoKS SSH server boks_sshd in a secure and compatible way for KEX algorithms, ciphers and MACs.


Reference Information

All OpenSSH versions have a list of supported KEX algorithms, ciphers and MACs. Each version also has default values that can be configured in the sshd_config file.
The default values have been set to allow highest security and compatibility, but as new vulnerabilities and security issues are found, these default values need to be updated.

The default values are set using the KexAlgorithms, Ciphers and MACs options/keywords, which are described in the sshd_config man page.

BoKS 6.7 and 7.0 are based on OpenSSH version 6.1p1 and have the following default values:

KexAlgorithms

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

These defaults are no longer secure and need to be updated. The following values are currently (Febuary 13, 2018) recommended for BoKS 6.7 and 7.0:

KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Note that these options and their values are normally not visible in the sshd_config file and must therefore be added.

Also note that the BoKS sshd_config file comes in two versions - $BOKS_etc/ssh/sshd_config..inactive and $BOKS_etc/ssh/sshd_config..active. Both files should be updated when updating these values.
After updating the sshd_config file, boks_sshd needs to be restarted for the changes to take effect. This is done by running Boot -k; Boot from a BoKS shell.


BoKS 7.1 is based on OpenSSH version 7.3p1 and has the following default values:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs

umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

These default values are currently all ok and need no update.

Note, the MAC algorithm hmac-sha1 exists as a default algorithm for all BoKS versions, but it is regarded as questionable from a security perspective. If not needed for compatibility, it is recommended that it is removed from the default MACs list.




Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 14, 2019