You'll notice two things when you start working with CentOS 7:

• More algorithms enabled: A default SSH configuration on CentOS 7 has a lot more enabled algorithms than what Ubuntu 18.04 has. This includes some really ancient stuff that you really don't want to see anymore. I'm talking about things such as Blowfish and 3DES, which should have been retired years ago.
• A different configuration technique: On CentOS, placing a - sign in front of a list of algorithms that you want to disable doesn't work. Instead, you'll need to list all of the algorithms that you want to enable.

For this lab, you'll need a CentOS 7 VM and the same scanner VM that you've been using. With that in mind, let's get to work:

1. Scan the CentOS 7 VM and save the output to a file:

sudo ssh_scan -t 192.168.0.53 -o ssh_scan-53.json

2. On the target CentOS 7 VM, open the /etc/ssh/sshd_config file in your preferred text editor. Toward the top of the file, find these two lines:

# Ciphers and keying
#RekeyLimit default none

3. Beneath those two lines, insert these three lines:

Ciphers [email protected],aes256-ctr,[email protected]

KexAlgorithms ecdh-sha2-nistp384

MACs [email protected],hmac-sha2-256

As I mentioned previously, with CentOS, using - to disable algorithms doesn't work. Instead, we have to list all of the algorithms that we do want to enable.

4. Save the file and restart the SSH daemon. Verify that it started correctly:

sudo systemctl restart sshd
sudo systemctl status sshd

5. Scan the CentOS 7 VM again, saving the output to a different file:

sudo ssh_scan -t 192.168.0.53 -o ssh_scan-53-modified.json

6. On the scanner VM, use diff to compare the two files. You should see fewer algorithms than you saw previously:

diff -y ssh_scan_results-53.json ssh_scan_results-53-modified.json

You've reached the end of the lab – congratulations!

Next, let's look at a handy new feature that comes with the RHEL 8 family.