disabling "weak" algorithms in sshd

Shamim Shahriar shamim.shahriar at gmail.com
Mon Feb 17 17:07:30 UTC 2020 

Hello again

I put the modifications to another system, and this one is giving me the
correct result (no further reference to the "none" encryption algorithm.
This implies there may be a problem with the other server that I will need
to look into. Fortunately it is NOT connected to the internet.

Thank you all once again for your help and the pointers.

Best regards
SK

On Mon, 17 Feb 2020 at 17:01, Shamim Shahriar <shamim.shahriar at gmail.com>
wrote:

> Okay, I added the following changes to /etc/ssh/sshd_config
> Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,
> aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> umac-128-etm at openssh.com
> KexAlgorithms curve25519-sha256 at libssh.org
> ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256
>
> and then restarted the ssh daemon
>
> The output for ssh -Q ciphers or ssh -Q mac was identical before and after.
>
> Also, Nessus/Tenable is still complaining.
>
> Nessus negotiated the following encryption algorithm with the server :
>
> The server supports the following options for kex_algorithms :
>
> curve25519-sha256 at libssh.org
> diffie-hellman-group14-sha256
> diffie-hellman-group16-sha512
> diffie-hellman-group18-sha512
>
> The server supports the following options for server_host_key_algorithms :
>
> ecdsa-sha2-nistp256
> rsa-sha2-256
> rsa-sha2-512
> ssh-ed25519
> ssh-rsa
>
> The server supports the following options for
> encryption_algorithms_client_to_server :
>
> aes128-ctr
> aes128-gcm at openssh.com
> aes192-ctr
> aes256-ctr
> aes256-gcm at openssh.com
> chacha20-poly1305 at openssh.com
> none
>
> The server supports the following options for
> encryption_algorithms_server_to_client :
>
> aes128-ctr
> aes128-gcm at openssh.com
> aes192-ctr
> aes256-ctr
> aes256-gcm at openssh.com
> chacha20-poly1305 at openssh.com
> none
>
> The server supports the following options for
> mac_algorithms_client_to_server :
>
> hmac-sha2-256-etm at openssh.com
> hmac-sha2-512-etm at openssh.com
> umac-128-etm at openssh.com
>
> The server supports the following options for
> mac_algorithms_server_to_client :
>
> hmac-sha2-256-etm at openssh.com
> hmac-sha2-512-etm at openssh.com
> umac-128-etm at openssh.com
>
> The server supports the following options for
> compression_algorithms_client_to_server :
>
> none
> zlib at openssh.com
>
> The server supports the following options for
> compression_algorithms_server_to_client :
>
> none
> zlib at openssh.com
>
> Based on that, I can only assume either the sshd_config file I am updating
> is not the one in use, or I am doing something wrong.
>
> Thanks for your suggestions and recommendations
>
> Kind regards
> SK
>
>
> On Mon, 17 Feb 2020 at 16:40, Shamim Shahriar <shamim.shahriar at gmail.com>
> wrote:
>
>> Thank you all for your suggestions, very much appreciated.
>>
>> I did put in the cipher list, but not the MAC or KexAlgorithms, maybe
>> that will make some change to the report. I will put it in and in case the
>> vulnerability pops up again, I'll get back to you.
>>
>> Kind regards
>> SK
>>
>> On Mon, 17 Feb 2020 at 15:51, Vikashb Badal <vikashb at where-ever.za.net>
>> wrote:
>>
>>>
>>> On 17/02/2020 17:09, Shamim Shahriar wrote:
>>> > Good afternoon all
>>> >
>>> > I had been googling for quite some time and so far came up empty, maybe
>>>
>>> i don't know if there is a best practice for these atm, i usually update
>>> /etc/ssh/shd_config and add/replace:
>>>
>>> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
>>> MACs hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
>>>
>>> https://man.openbsd.org/sshd_config#Ciphers
>>>
>>> https://man.openbsd.org/sshd_config#MACs
>>>
>>>
>>> "ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers
>>> currently
>>> allowed,
>>>
>>>
>>> > someone can shed some light or point me to the correct direction.
>>> >
>>> > I have introduced a bunch of servers into an infrastructure that
>>> previously
>>> > had zero FreeBSD system. They make use of Tenable Security Centre (
>>> > tenable.com) which I believe used Nessus in the backend to identify
>>> > vulnerabilities. Amongst other things, it is picking up on
>>> (tenable/nessus
>>> > plugin ID 90317) "SSH Weak Algorithms Supported) because the server
>>> allows
>>> > "none" algorithms.
>>> >
>>> > Is there any way to "select" or "selectively disable" algorithms and
>>> hashes
>>> > from sshd? According to various web sources, certain implementation on
>>> > certain distributions might have options to amend the list, but none
>>> of the
>>> > examples I have found worked on my FreeBSD system.
>>> >
>>> > Would appreciate if someone could please point me to the correct
>>> direction.
>>> >
>>> > Kind regards
>>> > SK
>>> > _______________________________________________
>>> > freebsd-questions at freebsd.org mailing list
>>> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> > To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
>>

More information about the freebsd-questions mailing list