How To Disable diffie-hellman-group1-sha1 for SSH

Solution 1:

man sshd_config

 KexAlgorithms
         Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.  The default is

               [email protected],
               ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
               diffie-hellman-group-exchange-sha256,
               diffie-hellman-group-exchange-sha1,
               diffie-hellman-group14-sha1,
               diffie-hellman-group1-sha1

So to disable "diffie-hellman-group1-sha1" , specify required Algorithms with Parameter KexAlgorithms

Example

KexAlgorithms diffie-hellman-group-exchange-sha256,[email protected],

Solution 2:

running ssh -Q kex

gives you the list of client supported algorithms. The server ones you will get from sshd -T | grep kex (on the server of course).

And if you want to remove one, just take the list you get from previous command, remove the algorithm you are interested in and put it in the /etc/ssh/sshd_config (or replace existing line there with the kex algorithms).

---

Solution 3:

In OpenSSH 7.6 if you want to remove one or more options and leave the remaining defaults you can add the following line to /etc/ssh/sshd_config:

KexAlgorithms -diffie-hellman-group1-sha1,ecdh-sha2-nistp256

Note the - at the start of the comma separated list. The above line would disable diffie-hellman-group1-sha1 and ecdh-sha2-nistp256.

This is detailed further in man sshd_config under KexAlgorithms:

If the specified value begins with a ‘-’ character, then the specified methods (including
wildcards) will be removed from the default set instead of replacing them.

One final note, after making any changes to /etc/ssh/sshd_config always verify them using sshd -t before restarting sshd.