Disable Weak Key Exchange Algorithm, CBC Mode in SSH

Disable Weak Key Exchange Algorithm, CBC Mode in SSH

Backup /etc/sysconfig/sshd and /etc/ssh/sshd_config

cp /etc/sysconfig/sshd /etc/sysconfig/sshd.beforecp /etc/ssh/sshd_config /etc/ssh/sshd_config.before

Edit /etc/sysconfig/sshd to uncomment the CRYPTO_POLICY setting

from:

# CRYPTO_POLICY=

to:

CRYPTO_POLICY=

Copy the following ciphers, MACs, and KexAlgorithms to /etc/ssh/sshd_config.

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctrMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Verify the configuration file before restarting the SSH server.

sshd -t

If there are no errors reported, then restart the SSHD service.

systemctl restart sshd

Test weak CBC ciphers by executing the below command.

ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc

If successful, it will prompt for a password. This means weak ciphers are enabled.

If it fails, indicating cbc ciphers are disabled, you should receive a message like this:

Unable to negotiate with 10.30.11.11 port 22: no matching cipher found.Their offer: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

To test if weak MAC algorithms are enabled, run the below command:

ssh -vv -oMACs=hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com

RHEL8 default ciphers include a number which have implicit MACs, testing like above will actually negotiate successfully and securely even though it would appear it is using hmac-md5. Look for the concluding negotiation where you will see something similar to:

debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: compression: nonedebug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: compression: none

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。