The Information Security and Risk Management department is complaining that our production server has Support for SSH Weak Algorithms due to the presence of the broken RC4.
What are the consequences if I remove this support? Does trellis rely on it’s presence?
Thank You in advance
Trellis specifically excludes RC4 so I’m not sure where they are seeing it?
Example: https://www.ssllabs.com/ssltest/analyze.html?d=roots.io
Thank you for your reply, I’ve got it in this part of the report:
The remote SSH server is configured to allow weak encryption algorithms.
Description
This plugin detects the encryption algorithms supported by the remote SSH server and reports algorithms known to be weak.
Solution
Contact the vendor or consult product documentation to remove the weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2016/04/04, Modification date: 2016/04/04
The following weak server-to-client encryption algorithms are supported :
arcfour
arcfour128
arcfour256
The following weak client-to-server encryption algorithms are supported :
arcfour
arcfour128
arcfour256
I’ve deployed with a Trellis version downloaded on 13/01/2016
If it’s indeed enabled … How can I disable it @swalkinshaw ? The website was deployed without ssl enabled. May this be the issue?
Oh it’s talking about SSH and not HTTPS.
You can customize the sshd config here: https://github.com/roots/trellis/blob/1163c87b5a7512c212146b2edeb9aed895347a7a/roles/sshd/templates/sshd_config.j2
There’s a Protocol setting which can be set to 2. Although the docs say that 2 is the default.
If you figure this out then it would be nice to submit a PR to Trellis itself.
what is your opinion about this post: https://stribika.github.io/2015/01/04/secure-secure-shell.html do you think its outdated ? I’ll try to dive into the trellis sshd config but I’m not an security expert so your insights will be very helpful to me. Thank you once again.
Looks good 
would result in a much more secure SSH server.