Configure secure SSH ciphers

Configure secure SSH ciphers

For security and compliance purposes, the following SSH ciphers are disabled in MCP:

  • arcfour

  • arcfour128

  • arcfour256

The default ciphers can be changed in the classes/cluster/<cluster_name>/openssh/server/single.yml file of your Reclass model to satisfy the cluster needs. Mirantis highly recommends adjusting the cipher suites according to compliance requirements as well as applying and testing the changes on staging environments first.

The structure with enabled ciphers from openssh/server/single.yml is converted to a comma-separated string in /etc/ssh/sshd_config. For a list of all supported ciphers, inspect man sshd_config.5 on any node of your MCP cluster.

Warning

The following instruction can potentially lead to security or compliance issues on your cluster. Therefore, proceed at your own risk.

To configure SSH ciphers:

  1. Log in to the Salt Master node.

  2. In the classes/cluster/<cluster_name>/openssh/server/single.yml file of your Reclass model, add the supported SSH ciphers under the ciphers parameter as follows:

    parameters:
      openssh:
        server:
          ciphers:
            "<cipher_name>":
              enabled: True
    

    The following SSH ciphers are enabled by default in MCP:

    parameters:
      openssh:
        server:
          ciphers:
            "3des-cbc":
              enabled: True
            "aes128-cbc":
              enabled: True
            "aes192-cbc":
              enabled: True
            "aes256-cbc":
              enabled: True
            "aes128-ctr":
              enabled: True
            "aes192-ctr":
              enabled: True
            "aes256-ctr":
              enabled: True
            "aes128-gcm@openssh.com":
              enabled: True
            "aes256-gcm@openssh.com":
              enabled: True
            "chacha20-poly1305@openssh.com":
              enabled: True
            "rijndael-cbc@lysator.liu.se":
              enabled: True
    
  3. Apply the changes:

    salt -C 'I@salt:control' state.sls openssh.server.service linux.system