In my side role, we had a audit and want to remove AES128 support from ssh server platforms. In this case our Juniper gear was still supporting cbc and ctr with AES128. So we decided to enforce AES192/256 blowfish and chacha across the board.
We also want to remove the RSA function for the server key.
Here's the cfg;
To test, we just use the ssh client and specify the weaker ciphers in this case aes128 was strike from the SRX.
And here's the server ssh key finger_prints, notice the after and before ( green / red ) circles
This allowed us to tighter access via our ssh clients access.
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( * * )=