disabling "weak" algorithms in sshd
Vikashb Badal
vikashb at where-ever.za.net
Mon Feb 17 15:51:37 UTC 2020
On 17/02/2020 17:09, Shamim Shahriar wrote:
> Good afternoon all
>
> I had been googling for quite some time and so far came up empty, maybe
i don't know if there is a best practice for these atm, i usually update
/etc/ssh/shd_config and add/replace:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
MACs hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
https://man.openbsd.org/sshd_config#Ciphers
https://man.openbsd.org/sshd_config#MACs
"ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers currently
allowed,
> someone can shed some light or point me to the correct direction.
>
> I have introduced a bunch of servers into an infrastructure that previously
> had zero FreeBSD system. They make use of Tenable Security Centre (
> tenable.com) which I believe used Nessus in the backend to identify
> vulnerabilities. Amongst other things, it is picking up on (tenable/nessus
> plugin ID 90317) "SSH Weak Algorithms Supported) because the server allows
> "none" algorithms.
>
> Is there any way to "select" or "selectively disable" algorithms and hashes
> from sshd? According to various web sources, certain implementation on
> certain distributions might have options to amend the list, but none of the
> examples I have found worked on my FreeBSD system.
>
> Would appreciate if someone could please point me to the correct direction.
>
> Kind regards
> SK
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list