Configuring an OpenSSH Server to Use the Key Exchange Methods Allowed by Command Central

Overview

By default, Command Central 10.7 and higher uses strong key exchange methods that meet the current security requirements for SSH connections. Command Central allows the following key exchange methods (listed in order of priority): diffie-hellman-group14-sha256 (highest), diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha1 (lowest).

Only when required by the environment, you can also configure Command Central to allow the following key exchange methods, which are disabled by default, because they are weak:

  • diffie-hellman-group1-sha1

  • diffie-hellman-group-exchange-sha1

For details about how to enable these additional key exchange methods in Command Central, see the Command Central Help.

If the OpenSSH server is not configured to use any of the key exchange methods allowed by Command Central, you can update the server configuration to accept one or more of the allowed methods. Note that Command Central 10.11 and lower supports OpenSSH version 8.7 and lower.

Update the list of key exchange methods on the OpenSSH server

  1. Locate the configuration file of the OpenSSH server.

    By default, the configuration file is located in the following directory:

    • C:\ProgramData\SSH\sshd_config on machines running on Windows

    • /etc/ssh/sshd_config on machines running on UNIX

  2. Open the configuration file as root (UNIX) or Administrator (Windows).

  3. Add one of the following lines:

    • To add key exchange methods to the default server list:

      
      KexAlgorithms +<key_exchange_method1>,<key_exchange_method2>,...
      
      
    • To replace the key exchange methods in the default server list with the methods allowed by Command Central:

      
      KexAlgorithms <key_exchange_method1>,<key_exchange_method2>,...
      
      

    Where <key_exchange_method1>,<key_exchange_method2>,... is a comma-separated list of the key exchange methods to add to the OpenSSH server list.

    • To remove key exchange methods from the default server list:
    
      KexAlgorithms -<key_exchange_method3>,<key_exchange_method4>,...
    

Where <key_exchange_method3>,<key_exchange_method4>,... is a comma-separated list of the key exchange methods to remove from the OpenSSH server list.

  1. Save the file and restart OpenSSH:

    • On a Linux machine, run the following command to restart the SSH daemon:
    
    systemctl restart sshd
    
    
    • On a Windows machine, restart the OpenSSH service.

Example:

To add the “diffie-hellman-group18-sha512” key exchange method, include the following line in the sshd_config* file of the OpenSSH server:


KexAlgorithms +diffie-hellman-group18-sha512

Save the file and restart OpenSSH.

Further read:
To leverage Command Central and learn more, check out our Knowledge Base section: Command-Central Knowledge base articles, news, Community help, and support forum discussions

Get to know how to initially setup your Command Central: Command Central Initial Set-Up
Install, Fix, Replicate - made easy with Command Central

From cygwin openssh 8.8, ssh-rsa is deprecated, so command central(CC 10.7 fix 6) is not supported for openssh 8.8.

As a work around, configure the ssh server for the deprecated ssh-rsa,ssh-dss algorithms.
Add below lines in /etc/sshd_config in cygwin install directory and restart ssh service.

HostKeyAlgorithms +ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss

Thanks,
Gowri Prasad