This article describes how to configure the BoKS SSH server boks_sshd in a secure and compatible way for KEX algorithms, ciphers and MACs.
All OpenSSH versions have a list of supported KEX algorithms, ciphers and MACs. Each version also has default values that can be configured in the sshd_config file.
The default values have been set to allow highest security and compatibility, but as new vulnerabilities and security issues are found, these default values need to be updated.
The default values are set using the KexAlgorithms, Ciphers and MACs options/keywords, which are described in the sshd_config man page.
BoKS 6.7 and 7.0 are based on OpenSSH version 6.1p1 and have the following default values:
These defaults are no longer secure and need to be updated. The following values are currently (Febuary 13, 2018) recommended for BoKS 6.7 and 7.0:
Note that these options and their values are normally not visible in the sshd_config file and must therefore be added.
Also note that the BoKS sshd_config file comes in two versions - $BOKS_etc/ssh/sshd_config..inactive and $BOKS_etc/ssh/sshd_config..active. Both files should be updated when updating these values.
After updating the sshd_config file, boks_sshd needs to be restarted for the changes to take effect. This is done by running Boot -k; Boot from a BoKS shell.
BoKS 7.1 is based on OpenSSH version 7.3p1 and has the following default values:
These default values are currently all ok and need no update.
Note, the MAC algorithm hmac-sha1 exists as a default algorithm for all BoKS versions, but it is regarded as questionable from a security perspective. If not needed for compatibility, it is recommended that it is removed from the default MACs list.
Still have questions? We can help. Submit a case to Technical Support.