1. DSR Security Guide
  2. Diameter Signaling Router Web GUI Standard Features
  3. SSH Security Hardening Procedures
  4. Disabling Key Exchange Algorithms and Setting Up Key Length

Disabling Key Exchange Algorithms and Setting Up Key Length

This section describes the procedure to disable diffie-hellman-group1-sha1 and gss-group1-sha1 key exchange (Kex) algorithms, and to set the moduli (key length) longer than 1024 bits.

Run the following procedure for each server in the topology:
  1. Log in as admusr on the server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to check if the keys used are lesser than 1024 bits.
    $ sudo awk '$5 <= 1024' /etc/ssh/moduli
  3. If no result is returned after running step 2, it means there are no keys lesser than 1024 bits used. You can skip steps 4 and 5.
    Else, check-out the file moduli:
    $ sudo rcstool co /etc/ssh/moduli
  4. Run the following command to configure the SSH service to use Diffie-Hellman moduli that are greater than 1024 bits.
    $ sudo awk '$5 > 1024' /etc/ssh/moduli > tmp$$
$ sudo mv tmp$$ /etc/ssh/moduli
  5. Run the following command to check-in the file moduli:
    $ sudo rcstool ci /etc/ssh/moduli
  6. Run the following command to verify if the diffie-hellman-group1-sha1 key exchange algorithm is supported:
    $ sudo sshd -T | grep -i diffie-hellman-group1-sha1
  7. If no result is returned after running step 6, it means diffie-hellman-group1-sha1 key exchange algorithm is already disabled. You can skip steps 8 and 9.
    Else, check-out the file sshd_config:
    $ sudo rcstool co /etc/ssh/sshd_config
  8. Run the following command to disable diffie-hellman-group1-sha1 key exchange algorithm:
    
$ sudo sed -i "$ a $(sudo sshd -T | grep -i diffie-hellman-group1-sha1 | awk 'tolower($1)==kexalgorithms { $1="\n"$1 ;} {gsub (/\ydiffie-hellman-group1-sha1,?\y|\y,?diffie-hellman-group1-sha1\y/, "", $2)} 1')" /etc/ssh/sshd_config
  9. Run the following command to check-in the file sshd_config:
    $ sudo rcstool ci /etc/ssh/sshd_config
  10. Run the following command to check if gss-group1-sha1- key exchange algorithm is supported:
    $ sudo sshd -T | grep -i gss-group1-sha1-
  11. If no result is returned after running step 10, it means gss-group1-sha1- key exchange algorithm is already disabled. You can skip steps 12 and 13.
    Else, check-out the file sshd_config:
    $ sudo rcstool co /etc/ssh/sshd_config
  12. Run the following command to disable gss-group1-sha1- key exchange algorithm:
    $ sudo sed -i "$ a $(sudo sshd -T | grep -i gss-group1-sha1- | awk 'tolower($1)==gssapikexalgorithms { $1="\n"$1 ;} {gsub (/\ygss-group1-sha1-,?\y|\y,?gss-group1-sha1-\y/, "", $2)} 1')" /etc/ssh/sshd_config
  13. Run the following command to check-in the file sshd_config:
    $ sudo rcstool ci /etc/ssh/sshd_config
  14. Run the following command to restart sshd service:
    $ sudo service sshd restart