Linux 弱加密算法修复

1：环境描述

os版本：

Red Hat Enterprise Linux Server release 6.6 (Santiago)

ssh 版本：

[root@test ~]# ssh -version
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
Bad escape character 'rsion'.

2.漏洞修复：

升级openssh版本为7.0后版本或将/etc/ssh/sshd_config中Ciphers修改为Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

3.问题

当ssh中配置如下功能时，在其后加入Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc将会报错

136 # Example of overriding settings on a per-user basis
137 #Match User anoncvs
138 #       X11Forwarding no
139 #       AllowTcpForwarding no
140 #       ForceCommand cvs server
141 Match Group sftp  #开启配置
142 X11Forwarding no  #开启配置
143 AllowTcpForwarding no  #开启配置
144 ChrootDirectory %h  #开启配置
145 ForceCommand internal-sftp  #开启配置
146 
147 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc  #当配置在此时  重启ssh服务报如下错误

报错信息

[root@test ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 144: Directive 'Ciphers' is not allowed within a Match block
                                                           [FAILED]

解决方法：

将Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc配置到开启设置的前面执行

例如：

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc  #放在以下功能的上面配置

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
Match Group sftp
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

此时在重启ssh服务正常执行