Steps to disable the diffie-hellman-group1-sha1 algorithm in SSH

Environment

• Red Hat Enterprise Linux (RHEL) 6 - 7

Issue

• Vulnerability scanner detected one of the following in a RHEL-based system:

  Deprecated SSH Cryptographic Settings
        --truncated--
  key exchange	diffie-hellman-group1-sha1
  

  Disable weak Key Exchange Algorithms
  

• How to disable the diffie-hellman-group1-sha1 Key Exchange Algorithm used in SSH?

Resolution

Two sides are involved in the SSH communication the initiator/client and the server. Only when both sides offer the diffie-hellman-group1-sha1 algorithm, it can potentially be used for the communication. Disabling the algorithm can be done on the client and the server side.

For RHEL 8 and later

The diffie-hellman-group1-sha1 key exchange algorithm is already disabled in DEFAULT system-wide cryptographic policy in Red Hat Enterprise Linux 8, 9, 10.

Do not use this solution for disabling crypto algorithms in Red Hat Enterprise Linux 8+ .

Red Hat Enterprise Linux 8+ uses system wide crypto policies; see solution "How to disable specific crypto algorithms when using system-wide cryptographic policies" instead.

For RHEL 6 and 7

1. Disabling the diffie-hellman-group1-sha1 algorithm on the client side

   • The following command will output the algorithms offered by the client:

     # ssh -Q kex
     diffie-hellman-group1-sha1
     diffie-hellman-group14-sha1
     diffie-hellman-group14-sha256
     diffie-hellman-group16-sha512
     diffie-hellman-group18-sha512
     [...]
     

     Note that this list is un-orded and doesn't reflect the current ssh configuration. Check the ssh_config(5) manpage for accurate ordered list and verify that you don't have configuration snippets that override the default configuration.

   • This list should be taken, the undesired algorithm should be removed. The remaining algorithms should then, separated by a comma, be added to the file /etc/ssh/ssh_config under the Host * section. The parameter KexAlgorithms will also be used. For example:

     Host *
         [...]
         KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
     

   • For verification, we can then call ssh with -vvv and observe the offered algorithms:

     # ssh -vvv user@server
     OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
     debug1: Reading configuration data /etc/ssh/ssh_config
     debug3: kex names ok: [List_of_Algorithms]
     [...]
     debug1: SSH2_MSG_KEXINIT received
     debug2: local client KEXINIT proposal
     debug2: KEX algorithms: List_of_Algorithms
     

   • The diffie-hellman-group1-sha1 algorithm should then not appear in the List_of_Algorithms.

2. Disabling the diffie-hellman-group1-sha1 algorithm on the server side

   • The following command shows the algorithms offered by the sshd service:

     # sshd -T | grep -i KexAlgorithms
     kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
     

   • This list can be taken, undesired algorithms like diffie-hellman-group1-sha1 should be removed, and the remaining algorithms should with parameter KexAlgorithms be configured in file /etc/ssh/sshd_config. Example:

     KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
     

   • Then we restart sshd:

     # service sshd restart
     

   • For verification, the client should be run in verbose mode:

     # ssh -vvv user@server
     [...]
     debug2: first_kex_follows 0
     debug2: reserved 0
     debug2: peer server KEXINIT proposal
     debug2: KEX algorithms: List_of_Algorithms
     

     diffie-hellman-group1-sha1 should now no longer appear in the List_of_Algorithms.

Root Cause

• As diffie-hellman-group1-sha1 has a size of 1024 bits, this size is considered weak and within theoretical range of Logjam attack vulnerability, CVE-2015-4000.
• However as OpenSSH does not make use of the TLS protocol, it is not vulnerable to Logjam: TLS vulnerabilities (CVE-2015-4000).
• As the diffie-hellman-group1-sha1 algorithm is weak, it has already been disabled on RHEL9. Red Hat recommends to disable this algorithm in openssh on RHEL7 and RHEL8.

For more information please refer to this Knowledge Base Solution.

Diagnostic Steps

• To verify if the diffie-hellman-group1-sha1 Key Exchange Algorithm is used during SSH sessions, simply run the SSH command with the verbose flags ('v') and search for the client's and/or host's list of Key Exchange Algorithms

  As a general rule, when running with the -vvv flag, the client's list of Key Exchange Algorithms should appear almost immediately after the log entry debug1: SSH2_MSG_KEXINIT received. The next list of Key Exchange Algorithms belongs to the host.

  • Example 1

    $ ssh -vvv <user>@<host>
    [...]
    debug1: SSH2_MSG_KEXINIT sent
    [...]
    debug1: SSH2_MSG_KEXINIT received
    [...]
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: <list of the client's Key Exchange Algorithms>
    [...]
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: <list of the host's Key Exchange Algorithms>
    

  • Example 2

    $ ssh -vvv <user>@<host>
    [...]
    debug1: SSH2_MSG_KEXINIT sent
    [...]
    debug1: SSH2_MSG_KEXINIT received
    [...]
    debug2: kex_parse_kexinit: <list of the client's Key Exchange Algorithms>
    [...]
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: kex_parse_kexinit: <list of the host's Key Exchange Algorithms>
    

• To verify that the effective list of algorithms available on the sshd server side, simply use the nmap script, as shown below

  # nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1
  [...]
  | ssh2-enum-algos:
  |   kex_algorithms (12)
  |       curve25519-sha256
  |       curve25519-sha256@libssh.org
  |       ecdh-sha2-nistp256
  |       ecdh-sha2-nistp384
  |       ecdh-sha2-nistp521
  |       diffie-hellman-group-exchange-sha256
  |       diffie-hellman-group16-sha512
  |       diffie-hellman-group18-sha512
  |       diffie-hellman-group-exchange-sha1
  |       diffie-hellman-group14-sha256
  |       diffie-hellman-group14-sha1
  |       diffie-hellman-group1-sha1
  |   server_host_key_algorithms (5)
  |       ssh-rsa
  |       rsa-sha2-512
  |       rsa-sha2-256
  |       ecdsa-sha2-nistp256
  |       ssh-ed25519
  |   encryption_algorithms (12)
  |       chacha20-poly1305@openssh.com
  |       aes128-ctr
  |       aes192-ctr
  |       aes256-ctr
  |       aes128-gcm@openssh.com
  |       aes256-gcm@openssh.com
  |       aes128-cbc
  |       aes192-cbc
  |       aes256-cbc
  |       blowfish-cbc
  |       cast128-cbc
  |       3des-cbc
  |   mac_algorithms (10)
  |       umac-64-etm@openssh.com
  |       umac-128-etm@openssh.com
  |       hmac-sha2-256-etm@openssh.com
  |       hmac-sha2-512-etm@openssh.com
  |       hmac-sha1-etm@openssh.com
  |       umac-64@openssh.com
  |       umac-128@openssh.com
  |       hmac-sha2-256
  |       hmac-sha2-512
  |       hmac-sha1
  |   compression_algorithms (2)
  |       none
  |_      zlib@openssh.com
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.