Avamar: "SSH Server Public Key Too Small" and "Deprecated SSH Cryptographic Settings" are reported in a Security Scan report

The following security vulnerability has been reported in the Security Scan Report.

Title: SSH Server Public Key Too Small

Results: Algorithm Length ssh-rsa 1024 bit

Threat: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The SSH Server is using a small Public Key.
Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated. 
For more information, please refer to NIST Special Publication 800-131A (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).
Only server keys that are not part of a certificate are reported in this QID.

QID: 38739
Title: Deprecated SSH Cryptographic Settings
Results: Type    Name
key exchange    diffie-hellman-group1-sha1
cipher    arcfour256
cipher    arcfour128
cipher    3des-cbc
cipher    blowfish-cbc
cipher    cast128-cbc
cipher    arcfour
Threat: The target is using deprecated SSH cryptographic settings to communication

The SSH Public Key is configured by default with 1024 bits instead of 2048 bits, and may be using deprecated SSH Cryptographic Settings.

1. Log in to the Avamar Utility Node as admin.

2. Elevate to root privilege.

3. Determine which ciphers might be used:

cat /etc/ssh/sshd_config | grep -i ciphers

Sample output:

# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

4. Run the following command to then confirm which ciphers are used:

ssh -Q cipher

Sample output:

3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

5. Make a backup copy of the /etc/ssh/sshd_config file:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%y%m%d` 

6. Using vi, edit the /etc/ssh/sshd_config file:

vi /etc/ssh/sshd_config 

7. Make the following changes:

a. Remove any of deprecated SSH cryptographic settings listed in the security scan report. In this example, the ones listed below:

cipher    arcfour256
cipher    arcfour128
cipher    3des-cbc
cipher    blowfish-cbc
cipher    cast128-cbc
cipher    arcfour 

b. Change the following parameter from 1024 to 2048:

ServerKeyBits 2048 

c. Remove the comments on these lines to specify which keys SSH is going to use:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key 

8. Check the size of each of these keys:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

Sample output:

2048 82:4e:33:4a:1f:e6:81:7f:ef:c7:4c:1f:c7:b2:ce:59 [MD5]  root@linux-host1 (RSA)

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub

Sample output:

256 a9:2b:e7:0b:ab:0b:be:2f:d4:9b:6c:2d:6c:fb:3d:e9 [MD5]  root@linux-host1 (ECDSA)

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub 

Sample output:

256 65:c5:1e:1c:ac:a3:7c:05:90:21:a3:3c:7e:d6:d4:bd [MD5]  root@linux-host1 (ED25519)

If the sizes (the first number in the output, highlighted in red) are lower than the output above, new keys must be generated.

If required, run the applicable command for the key or keys to generate:

sudo ssh-keygen -N '' -b 2048 -t rsa -f /etc/ssh/ssh_host_rsa_key 

sudo ssh-keygen -N '' -b 256 -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key 

sudo ssh-keygen -N '' -b 256 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key

Confirm any key overwrites:

Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
47:60:91:14:b1:15:6e:6d:ea:e9:36:37:31:08:d3:69 root@vmtest-debian8
The key's randomart image is:
+---[RSA 2048]----+
|       .B=o.     |
|       ..= .     |
|        ..+.o    |
|        ooEo     |
|        S+o.     |
|         o..o    |
|          o  o   |
|         .o o    |
|         ..o .   |
+-----------------+

9. Verify that the configuration does not contain any errors:

sshd -t

There should be no output. If there are errors, correct them before proceeding.

10. Restart the sshd service:

service sshd restart 

11. To check which ciphers are being accepted after applying these changes, run the following command against each cipher listed previously:

ssh -c "cipher_name" localhost 

• • If the cipher is being accepted, the output should match Appendix A
  • If the cipher is being denied, the output should match Appendix B

APPENDIX A:

root@hostname:~/#: ssh -c "cipher_name" localhost 

Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Last login: Mon Oct  1 14:05:28 2018 from XX.XX.XX.XXX
*****************************************************************
*                                                               *
*     This is the Avamar Virtual Appliance                      *
*                                                               *
* Please read the documentation before performing               *
* any administrative functions on this node.                    *
* For help, contact EMC at 877.534.2867 (USA only) or           *
* https://support.emc.com.                                      *
*                                                               *
*****************************************************************
root@hostname:~/#: 

APPENDIX B:

root@hostname:~/#: ssh -c "cipher_name" localhost

no matching cipher found: client "cipher_name" server valid_cipher, valid_cipher, valid_cipher