disabling "weak" algorithms in sshd
Earl A Ramirez
earlaramirez at gmail.com
Mon Feb 17 15:46:53 UTC 2020
On Mon, 17 Feb 2020 at 15:09, Shamim Shahriar <shamim.shahriar at gmail.com>
wrote:
> Good afternoon all
>
> I had been googling for quite some time and so far came up empty, maybe
> someone can shed some light or point me to the correct direction.
>
> I have introduced a bunch of servers into an infrastructure that previously
> had zero FreeBSD system. They make use of Tenable Security Centre (
> tenable.com) which I believe used Nessus in the backend to identify
> vulnerabilities. Amongst other things, it is picking up on (tenable/nessus
> plugin ID 90317) "SSH Weak Algorithms Supported) because the server allows
> "none" algorithms.
>
> Is there any way to "select" or "selectively disable" algorithms and hashes
> from sshd? According to various web sources, certain implementation on
> certain distributions might have options to amend the list, but none of the
> examples I have found worked on my FreeBSD system.
>
> Would appreciate if someone could please point me to the correct direction.
>
> I have been using the following lines to get mitigate Nessus findings in
the sshd_config
# Permit supported Ciphers, MAC and Algorithms
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,
aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
umac-128-etm at openssh.com
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256
--
Kind Regards
Earl Ramirez
More information about the freebsd-questions
mailing list