Disable Weak SSHD Algorithms

What the weak SSH algorithm disabler does

This Automox Worklet™ configures OpenSSH to use only strong cryptographic algorithms by adding explicit Ciphers, KexAlgorithms, and MACs settings to /etc/ssh/sshd_config. Default OpenSSH installations often include legacy algorithms for backward compatibility, but these weaker options create security vulnerabilities.

The Worklet specifically excludes algorithms containing SHA1, RC4, Arcfour, MD5, Blowfish, IDEA, 3DES, CAST128, and CBC modes. These algorithms have known weaknesses that could allow attackers to compromise encrypted sessions.

Why remove weak SSH algorithms

Vulnerability scanners frequently flag weak SSH algorithms as security findings. CIS Benchmarks, NIST 800-53, and PCI-DSS all recommend restricting SSH to strong cryptographic options. Removing weak algorithms reduces your attack surface and demonstrates security due diligence.

Legacy algorithms like 3DES and RC4 have documented cryptographic weaknesses. CBC-mode ciphers are vulnerable to plaintext recovery attacks. SHA1-based MACs face collision vulnerabilities. Modern alternatives provide better security without sacrificing performance.

The Worklet configures a curated list of strong algorithms including ChaCha20-Poly1305, AES-GCM, and AES-CTR ciphers with Curve25519 and Diffie-Hellman key exchange. These settings work with OpenSSH 6.5 and later.

How SSH algorithm hardening works

1. Evaluation phase: Runs sshd -T to display the current SSH configuration and searches for weak algorithms (sha1, rc4, arcfour, md5, blowfish, idea, 3des, cast128, cbc) in the ciphers, macs, and kexalgorithms settings. If any weak algorithm is found, remediation is triggered.

2. Remediation phase: Appends three configuration lines to /etc/ssh/sshd_config: Ciphers (ChaCha20, AES-GCM, AES-CTR variants), KexAlgorithms (Curve25519, DH-group-exchange-sha256), and MACs (HMAC-SHA2 variants with ETM). Then restarts the sshd service to apply changes.

SSH hardening requirements

• Linux endpoints with OpenSSH server installed

• OpenSSH 6.5 or later for full algorithm support

• Root privileges for the Automox agent

• Verify SSH clients support the new algorithms before deployment

• Tested on Ubuntu 18.04; verify compatibility with your distribution

Expected SSH configuration state

After remediation, sshd only accepts connections using strong cryptographic algorithms. Verify with sshd -T | grep -E "(ciphers|macs|kexalgorithms)" to see the active settings. No weak algorithms should appear in the output.

SSH connections continue to work with modern clients. Legacy clients that only support weak algorithms will fail to connect. Test connectivity from all client types before broad deployment. The configuration persists across sshd restarts and system reboots.

How to validate disable weak sshd algorithms changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable weak sshd algorithms.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as sshd, exit.

4. Validate remediation effects from script operations such as cat, Ciphers, KexAlgorithms, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable weak sshd algorithms. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as sshd, exit and remediation operations such as cat, Ciphers, KexAlgorithms. Use these indicators to verify that endpoint changes match intended policy outcomes.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable weak sshd algorithms. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as sshd, exit and remediation operations such as cat, Ciphers, KexAlgorithms. Use these indicators to verify that endpoint changes match intended policy outcomes.