Re: enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jan 26, 2024 at 7:24 PM Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote:

> On 25.01.24 14:09, Kaushal Shriyan wrote:
> > I am running the below servers on Red Hat Enterprise Linux release 8.7
> > How do I enable strong KexAlgorithms, Ciphers and MACs
>
> On RHEL 8, you need to be aware that there are "crypto policies"
> modifying sshd's behaviour, and it would likely be the *preferred*
> method to inject your intended config changes *there* (unless they
> happen to already be part of an existing policy, like FUTURE).
>
>
> https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
>
> Kind regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Thanks Jochen for the quick response. Much appreciated. I have followed
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
by setting the crypto policies as per below.

Starting audit of 192.168.0.108:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)

# security
(cve) CVE-2021-41617                        -- (CVSSv2: 7.0) privilege
escalation via supplemental groups
(cve) CVE-2020-15778                        -- (CVSSv2: 7.8) command
injection via anomalous argument transfers
(cve) CVE-2019-16905                        -- (CVSSv2: 7.8) memory
corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012                        -- (CVSSv2: 5.3) enumerate
usernames via challenge response

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since
OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256                     -- [info] default key exchange
since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] available since
OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] default key exchange
since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since
OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available
since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's
GEX fallback mechanism was triggered during testing. Very old SSH clients
will still be able to create connections using a 2048-bit modulus, though
modern clients will use 3072. This can only be disabled by recompiling the
code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).

# host-key algorithms
(key) rsa-sha2-512 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) ssh-ed25519                           -- [info] available since
OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] default cipher since
OpenSSH 6.9
(enc) aes256-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes128-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes256-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                            -- [info] available since
OpenSSH 3.7
(enc) aes128-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx              -- [info] available since
OpenSSH 6.2

# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case

# algorithm recommendations (for OpenSSH 8.0)
(rec) -chacha20-poly1305@xxxxxxxxxxx        -- enc algorithm to remove

# additional info
(nfo) For hardening guides on common OSes, please see: <
https://www.ssh-audit.com/hardening_guides.html>

#update-crypto-policies --set FIPS
# update-crypto-policies --show
FIPS
#./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear
SSH 2016.73+
(gen) compression: enabled (zlib@xxxxxxxxxxx)

# security
(cve) CVE-2021-41617                        -- (CVSSv2: 7.0) privilege
escalation via supplemental groups
(cve) CVE-2020-15778                        -- (CVSSv2: 7.8) command
injection via anomalous argument transfers
(cve) CVE-2019-16905                        -- (CVSSv2: 7.8) memory
corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012                        -- (CVSSv2: 5.3) enumerate
usernames via challenge response

# key exchange algorithms
(kex) ecdh-sha2-nistp256                    -- [fail] using elliptic curves
that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                    -- [fail] using elliptic curves
that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                    -- [fail] using elliptic curves
that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available
since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's
GEX fallback mechanism was triggered during testing. Very old SSH clients
will still be able to create connections using a 2048-bit modulus, though
modern clients will use 3072. This can only be disabled by recompiling the
code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha256         -- [warn] 2048-bit modulus only
provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha256         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group16-sha512         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since
OpenSSH 7.3

# host-key algorithms
(key) rsa-sha2-512 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit)               -- [info] available since
OpenSSH 7.2

# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes256-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc                            -- [warn] using weak cipher mode
(enc) aes256-cbc                            -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes256-cbc                            -- [info] available since
OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) aes128-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes128-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc                            -- [warn] using weak cipher mode
(enc) aes128-cbc                            -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes128-cbc                            -- [info] available since
OpenSSH 2.3.0, Dropbear SSH 0.28

# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha1-etm@xxxxxxxxxxx             -- [fail] using broken SHA-1
hash algorithm
(mac) hmac-sha1-etm@xxxxxxxxxxx             -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha1-etm@xxxxxxxxxxx             -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha2-256                         -- [info] available since
OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                             -- [fail] using broken SHA-1
hash algorithm
(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha1                             -- [info] available since
OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha2-512                         -- [info] available since
OpenSSH 5.9, Dropbear SSH 2013.56

# fingerprints
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case

# algorithm recommendations (for OpenSSH 8.0)
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha1-etm@xxxxxxxxxxx            -- mac algorithm to remove
(rec) +aes192-ctr                           -- enc algorithm to append
(rec) +curve25519-sha256                    -- kex algorithm to append
(rec) +curve25519-sha256@xxxxxxxxxx         -- kex algorithm to append
(rec) +ssh-ed25519                          -- key algorithm to append
(rec) -aes128-cbc                           -- enc algorithm to remove
(rec) -aes256-cbc                           -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256        -- kex algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-256-etm@xxxxxxxxxxx        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -hmac-sha2-512-etm@xxxxxxxxxxx        -- mac algorithm to remove

# additional info
(nfo) For hardening guides on common OSes, please see: <
https://www.ssh-audit.com/hardening_guides.html>


#update-crypto-policies --set FUTURE
#update-crypto-policies --show
FUTURE
#
I still see vulnerability while ./ssh-audit.py -vvv 192.168.0.108

# ./ssh-audit.py -vvv 192.168.0.108
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@xxxxxxxxxxx)

# key exchange algorithms
(kex) curve25519-sha256                     -- [warn] unknown algorithm
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] available since
OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic
curves
(kex) ecdh-sha2-nistp256                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                    -- [fail] using weak elliptic
curves
(kex) ecdh-sha2-nistp384                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                    -- [fail] using weak elliptic
curves
(kex) ecdh-sha2-nistp521                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256  -- [warn] using custom size
modulus (possibly weak)
(kex) diffie-hellman-group-exchange-sha256  -- [info] available since
OpenSSH 4.4
(kex) diffie-hellman-group16-sha512         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since
OpenSSH 7.3

# host-key algorithms
(key) rsa-sha2-512                          -- [info] available since
OpenSSH 7.2
(key) rsa-sha2-256                          -- [info] available since
OpenSSH 7.2
(key) ssh-ed25519                           -- [info] available since
OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] default cipher since
OpenSSH 6.9.
(enc) aes256-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx              -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha2-256                         -- [info] available since
OpenSSH 5.9, Dropbear SSH 2013.56
(mac) umac-128@xxxxxxxxxxx                  -- [warn] using encrypt-and-MAC
mode
(mac) umac-128@xxxxxxxxxxx                  -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha2-512                         -- [info] available since
OpenSSH 5.9, Dropbear SSH 2013.56

# algorithm recommendations (for OpenSSH 8.0)
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) +diffie-hellman-group14-sha256        -- kex algorithm to append
(rec) +ssh-rsa                              -- key algorithm to append
(rec) +aes128-ctr                           -- enc algorithm to append
(rec) +aes192-ctr                           -- enc algorithm to append
(rec) +aes128-gcm@xxxxxxxxxxx               -- enc algorithm to append
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -umac-128@xxxxxxxxxxx                 -- mac algorithm to remove

#


#update-crypto-policies --set DEFAULT
# update-crypto-policies --show
DEFAULT
# ./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)

# security
(cve) CVE-2021-41617                        -- (CVSSv2: 7.0) privilege
escalation via supplemental groups
(cve) CVE-2020-15778                        -- (CVSSv2: 7.8) command
injection via anomalous argument transfers
(cve) CVE-2019-16905                        -- (CVSSv2: 7.8) memory
corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012                        -- (CVSSv2: 5.3) enumerate
usernames via challenge response

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since
OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256                     -- [info] default key exchange
since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] available since
OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] default key exchange
since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since
OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available
since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's
GEX fallback mechanism was triggered during testing. Very old SSH clients
will still be able to create connections using a 2048-bit modulus, though
modern clients will use 3072. This can only be disabled by recompiling the
code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).

# host-key algorithms
(key) rsa-sha2-512 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) ssh-ed25519                           -- [info] available since
OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] default cipher since
OpenSSH 6.9
(enc) aes256-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes128-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes256-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                            -- [info] available since
OpenSSH 3.7
(enc) aes128-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx              -- [info] available since
OpenSSH 6.2

# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case

# algorithm recommendations (for OpenSSH 8.0)
(rec) -chacha20-poly1305@xxxxxxxxxxx        -- enc algorithm to remove

# additional info
(nfo) For hardening guides on common OSes, please see: <
https://www.ssh-audit.com/hardening_guides.html>

#

# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# update-crypto-policies --show
LEGACY
# ./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear
SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)

# security
(cve) CVE-2021-41617                        -- (CVSSv2: 7.0) privilege
escalation via supplemental groups
(cve) CVE-2020-15778                        -- (CVSSv2: 7.8) command
injection via anomalous argument transfers
(cve) CVE-2019-16905                        -- (CVSSv2: 7.8) memory
corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012                        -- (CVSSv2: 5.3) enumerate
usernames via challenge response

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since
OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256                     -- [info] default key exchange
since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] available since
OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx          -- [info] default key exchange
since OpenSSH 6.4
(kex) ecdh-sha2-nistp256                    -- [fail] using elliptic curves
that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                    -- [fail] using elliptic curves
that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                    -- [fail] using elliptic curves
that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521                    -- [info] available since
OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available
since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's
GEX fallback mechanism was triggered during testing. Very old SSH clients
will still be able to create connections using a 2048-bit modulus, though
modern clients will use 3072. This can only be disabled by recompiling the
code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha256         -- [warn] 2048-bit modulus only
provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha256         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group16-sha512         -- [info] available since
OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since
OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [fail] using broken
SHA-1 hash algorithm
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] available
since OpenSSH 2.3.0
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] OpenSSH's GEX
fallback mechanism was triggered during testing. Very old SSH clients will
still be able to create connections using a 2048-bit modulus, though modern
clients will use 3072. This can only be disabled by recompiling the code
(see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha1           -- [fail] using broken SHA-1
hash algorithm
(kex) diffie-hellman-group14-sha1           -- [warn] 2048-bit modulus only
provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha1           -- [info] available since
OpenSSH 3.9, Dropbear SSH 0.53

# host-key algorithms
(key) rsa-sha2-512 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit)               -- [info] available since
OpenSSH 7.2
(key) ssh-rsa (4096-bit)                    -- [fail] using broken SHA-1
hash algorithm
(key) ssh-rsa (4096-bit)                    -- [info] available since
OpenSSH 2.5.0, Dropbear SSH 0.28
(key) ssh-rsa (4096-bit)                    -- [info] deprecated in OpenSSH
8.8: https://www.openssh.com/txt/release-8.8
(key) ssh-ed25519                           -- [info] available since
OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx         -- [info] default cipher since
OpenSSH 6.9
(enc) aes256-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc                            -- [warn] using weak cipher mode
(enc) aes256-cbc                            -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes256-cbc                            -- [info] available since
OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) aes128-gcm@xxxxxxxxxxx                -- [info] available since
OpenSSH 6.2
(enc) aes128-ctr                            -- [info] available since
OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc                            -- [warn] using weak cipher mode
(enc) aes128-cbc                            -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes128-cbc                            -- [info] available since
OpenSSH 2.3.0, Dropbear SSH 0.28
(enc) 3des-cbc                              -- [fail] using broken &
deprecated 3DES cipher
(enc) 3des-cbc                              -- [warn] using weak cipher mode
(enc) 3des-cbc                              -- [warn] using small 64-bit
block size
(enc) 3des-cbc                              -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) 3des-cbc                              -- [info] available since
OpenSSH 1.2.2, Dropbear SSH 0.28

# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-256-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha1-etm@xxxxxxxxxxx             -- [fail] using broken SHA-1
hash algorithm
(mac) hmac-sha1-etm@xxxxxxxxxxx             -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha1-etm@xxxxxxxxxxx             -- [info] available since
OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx              -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) umac-128-etm@xxxxxxxxxxx              -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [warn] vulnerable to the
Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-512-etm@xxxxxxxxxxx         -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha2-256                         -- [info] available since
OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                             -- [fail] using broken SHA-1
hash algorithm
(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha1                             -- [info] available since
OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) umac-128@xxxxxxxxxxx                  -- [warn] using encrypt-and-MAC
mode
(mac) umac-128@xxxxxxxxxxx                  -- [info] available since
OpenSSH 6.2
(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC
mode
(mac) hmac-sha2-512                         -- [info] available since
OpenSSH 5.9, Dropbear SSH 2013.56

# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 --
[info] do not rely on MD5 fingerprints for server identification; it is
insecure for this use case

# algorithm recommendations (for OpenSSH 8.0)
(rec) -3des-cbc                             -- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha1-etm@xxxxxxxxxxx            -- mac algorithm to remove
(rec) -ssh-rsa                              -- key algorithm to remove
(rec) +aes192-ctr                           -- enc algorithm to append
(rec) -aes128-cbc                           -- enc algorithm to remove
(rec) -aes256-cbc                           -- enc algorithm to remove
(rec) -chacha20-poly1305@xxxxxxxxxxx        -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256        -- kex algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-256-etm@xxxxxxxxxxx        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -hmac-sha2-512-etm@xxxxxxxxxxx        -- mac algorithm to remove
(rec) -umac-128-etm@xxxxxxxxxxx             -- mac algorithm to remove
(rec) -umac-128@xxxxxxxxxxx                 -- mac algorithm to remove

# additional info
(nfo) For hardening guides on common OSes, please see: <
https://www.ssh-audit.com/hardening_guides.html>

#

# rpm -qa |grep openssh
openssh-clients-8.0p1-19.el8_8.x86_64
openssh-8.0p1-19.el8_8.x86_64
openssh-server-8.0p1-19.el8_8.x86_64
openssh-askpass-8.0p1-19.el8_8.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.9 (Ootpa)
#

Please suggest further. Thanks in advance

Best Regards,

Kaushal
#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 9443
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in RHEL and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux