SSH Clients to only allow secure KexAlgorithms in Acquia Cloud release 1.90

As part of our ongoing efforts to ensure that both the Acquia platform and your websites remain reliable and secure, Acquia is restricting sshd_configs to allow only secure Key Exchange Algorithms (KexAlgorithms) in the Acquia Cloud 1.90 release.

Why was this change made?

This change acts to constrain key exchanges between SSH clients and servers to strong algorithms in an effort to prevent man-in-the-middle attacks (such as Logjam).

Am I affected?

If you are using an outdated SSH client (particularly older SFTP and SCP clients), you may encounter connectivity issues after the Acquia Cloud 1.90 release. Using an SSH client that fails to meet these security requirements can display an error similar to the following:

server sshd: fatal: Unable to negotiate a key exchange method

Restoring your access

To restore your access, you will need to update your SSH client to a version that contains one of the accepted KexAlgorithms:

  • ecdh-sha2-nistp521
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp256
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group14-sha1

If you have any questions regarding this issue, contact Acquia Support.

Contact supportStill need assistance? Contact Acquia Support