The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
disable MD5 and 96bit MAC algorithms
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption
This means that if two machines are connecting to each other (without overriding the default ciphers through configuration options), they will always use the aes128-ctr cipher to encrypt their connection.
There are a couple of sections in the ssh_config and sshd_config files that can be changed.
Those are the "Ciphers" and the "MACs" sections of the config files.
Disable MD5,96-bit MAC algorithms and CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption
*MD5(Message digest algo)
*It is cryptographic file.
*Produce 128 bits hash Value
*Hash value represents footprint of data
*Basically It is used to check data integrity, so one can recorgnize the file.
The MAC algorithm is used in protocolversion 2 for data integrity protection. Multiple algorithms must be comma-separated. The algorithms that contain ``-etm''calculate the MAC after encryption (encrypt-then-mac).
just uncomment the MACs line in ssh_config
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
If you are on the server itself you can see which MACs the sshd is configured to use with the -T option.
# sshd -T | egrep '^macs'
# ssh -vv -oMACs=hmac-md5 <server>
and rewrite this line in sshd_config.
enabling CTR
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
disable MD5 and 96bit MAC algorithms
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption
This means that if two machines are connecting to each other (without overriding the default ciphers through configuration options), they will always use the aes128-ctr cipher to encrypt their connection.
There are a couple of sections in the ssh_config and sshd_config files that can be changed.
Those are the "Ciphers" and the "MACs" sections of the config files.
Disable MD5,96-bit MAC algorithms and CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption
*MD5(Message digest algo)
*It is cryptographic file.
*Produce 128 bits hash Value
*Hash value represents footprint of data
*Basically It is used to check data integrity, so one can recorgnize the file.
The MAC algorithm is used in protocolversion 2 for data integrity protection. Multiple algorithms must be comma-separated. The algorithms that contain ``-etm''calculate the MAC after encryption (encrypt-then-mac).
just uncomment the MACs line in ssh_config
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
If you are on the server itself you can see which MACs the sshd is configured to use with the -T option.
# sshd -T | egrep '^macs'
# ssh -vv -oMACs=hmac-md5 <server>
and rewrite this line in sshd_config.
enabling CTR
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.