On Thu, Jan 25, 2024 at 7:53 PM Mike Burger <mburger@xxxxxxxxxxxxxxxxx> wrote:
Hello, Kaushal.
The first item in this Google search is Red Hat's blog entry on the matter.
On 2024-01-25 08:10, Kaushal Shriyan wrote:
Hi,I am running the below servers on Red Hat Enterprise Linux release 8.7 (Ootpa). The details are as follows.# rpm -qa | grep openssh
openssh-8.0p1-16.el8.x86_64
openssh-askpass-8.0p1-16.el8.x86_64
openssh-server-8.0p1-16.el8.x86_64
openssh-clients-8.0p1-16.el8.x86_64# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)
#How do I enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file as per the above ssh server version. For example as per below setting.KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,umac-128@xxxxxxxxxxxPlease guide me.Thanks in advance.Best Regards,Kaushal--
You received this message because you are subscribed to the Google Groups "redhat-list@xxxxxxxxxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redhat-list+unsubscribe@xxxxxxxxxx.
--
"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
Hi,
I have followed https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening by setting the crypto policies as per below and used https://github.com/jtesta/ssh-audit for scanning the vulnerability.
Starting audit of 192.168.0.108:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx -- [info] default key exchange since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) chacha20-poly1305@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -chacha20-poly1305@xxxxxxxxxxx -- enc algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx -- [info] default key exchange since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) chacha20-poly1305@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -chacha20-poly1305@xxxxxxxxxxx -- enc algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
#update-crypto-policies --set FIPS
# update-crypto-policies --show
FIPS
#./ssh-audit.py -vvv localhost
FIPS
#./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc -- [warn] using weak cipher mode
(enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc -- [warn] using weak cipher mode
(enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# fingerprints
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) +aes192-ctr -- enc algorithm to append
(rec) +curve25519-sha256 -- kex algorithm to append
(rec) +curve25519-sha256@xxxxxxxxxx -- kex algorithm to append
(rec) +ssh-ed25519 -- key algorithm to append
(rec) -aes128-cbc -- enc algorithm to remove
(rec) -aes256-cbc -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-256-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -hmac-sha2-512-etm@xxxxxxxxxxx -- mac algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc -- [warn] using weak cipher mode
(enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc -- [warn] using weak cipher mode
(enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# fingerprints
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) +aes192-ctr -- enc algorithm to append
(rec) +curve25519-sha256 -- kex algorithm to append
(rec) +curve25519-sha256@xxxxxxxxxx -- kex algorithm to append
(rec) +ssh-ed25519 -- key algorithm to append
(rec) -aes128-cbc -- enc algorithm to remove
(rec) -aes256-cbc -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-256-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -hmac-sha2-512-etm@xxxxxxxxxxx -- mac algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
#update-crypto-policies --set FUTURE
#update-crypto-policies --show
FUTURE
#
FUTURE
#
I still see vulnerability while ./ssh-audit.py -vvv 192.168.0.108
# ./ssh-audit.py -vvv 192.168.0.108
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# key exchange algorithms
(kex) curve25519-sha256 -- [warn] unknown algorithm
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves
(kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves
(kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves
(kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
(kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
# host-key algorithms
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9.
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) umac-128@xxxxxxxxxxx -- [warn] using encrypt-and-MAC mode
(mac) umac-128@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# algorithm recommendations (for OpenSSH 8.0)
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) +diffie-hellman-group14-sha256 -- kex algorithm to append
(rec) +ssh-rsa -- key algorithm to append
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append
(rec) +aes128-gcm@xxxxxxxxxxx -- enc algorithm to append
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -umac-128@xxxxxxxxxxx -- mac algorithm to remove
#
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# key exchange algorithms
(kex) curve25519-sha256 -- [warn] unknown algorithm
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves
(kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves
(kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves
(kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
(kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
# host-key algorithms
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9.
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) umac-128@xxxxxxxxxxx -- [warn] using encrypt-and-MAC mode
(mac) umac-128@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# algorithm recommendations (for OpenSSH 8.0)
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) +diffie-hellman-group14-sha256 -- kex algorithm to append
(rec) +ssh-rsa -- key algorithm to append
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append
(rec) +aes128-gcm@xxxxxxxxxxx -- enc algorithm to append
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -umac-128@xxxxxxxxxxx -- mac algorithm to remove
#
#update-crypto-policies --set DEFAULT
# update-crypto-policies --show
DEFAULT
# ./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx -- [info] default key exchange since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) chacha20-poly1305@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -chacha20-poly1305@xxxxxxxxxxx -- enc algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
#
DEFAULT
# ./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx -- [info] default key exchange since OpenSSH 6.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) chacha20-poly1305@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -chacha20-poly1305@xxxxxxxxxxx -- enc algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
#
# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# update-crypto-policies --show
LEGACY
# ./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx -- [info] default key exchange since OpenSSH 6.4
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group14-sha1 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha1 -- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
(key) ssh-rsa (4096-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (4096-bit) -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) ssh-rsa (4096-bit) -- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) chacha20-poly1305@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc -- [warn] using weak cipher mode
(enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc -- [warn] using weak cipher mode
(enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
(enc) 3des-cbc -- [warn] using weak cipher mode
(enc) 3des-cbc -- [warn] using small 64-bit block size
(enc) 3des-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) 3des-cbc -- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) umac-128@xxxxxxxxxxx -- [warn] using encrypt-and-MAC mode
(mac) umac-128@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -3des-cbc -- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -ssh-rsa -- key algorithm to remove
(rec) +aes192-ctr -- enc algorithm to append
(rec) -aes128-cbc -- enc algorithm to remove
(rec) -aes256-cbc -- enc algorithm to remove
(rec) -chacha20-poly1305@xxxxxxxxxxx -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-256-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -hmac-sha2-512-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -umac-128-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -umac-128@xxxxxxxxxxx -- mac algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
#
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# update-crypto-policies --show
LEGACY
# ./ssh-audit.py -vvv localhost
Starting audit of localhost:22...
# general
(gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@xxxxxxxxxxx)
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@xxxxxxxxxx -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) curve25519-sha256@xxxxxxxxxx -- [info] default key exchange since OpenSSH 6.4
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group14-sha1 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) diffie-hellman-group14-sha1 -- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
(key) ssh-rsa (4096-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (4096-bit) -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) ssh-rsa (4096-bit) -- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) aes256-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) chacha20-poly1305@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] available since OpenSSH 6.5
(enc) chacha20-poly1305@xxxxxxxxxxx -- [info] default cipher since OpenSSH 6.9
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc -- [warn] using weak cipher mode
(enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) aes128-gcm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc -- [warn] using weak cipher mode
(enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
(enc) 3des-cbc -- [warn] using weak cipher mode
(enc) 3des-cbc -- [warn] using small 64-bit block size
(enc) 3des-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(enc) 3des-cbc -- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
# message authentication code algorithms
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-256-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha1-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) umac-128-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
(mac) hmac-sha2-512-etm@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) umac-128@xxxxxxxxxxx -- [warn] using encrypt-and-MAC mode
(mac) umac-128@xxxxxxxxxxx -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
(mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# fingerprints
(fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8
(fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
(fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ
(fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case
# algorithm recommendations (for OpenSSH 8.0)
(rec) -3des-cbc -- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -ssh-rsa -- key algorithm to remove
(rec) +aes192-ctr -- enc algorithm to append
(rec) -aes128-cbc -- enc algorithm to remove
(rec) -aes256-cbc -- enc algorithm to remove
(rec) -chacha20-poly1305@xxxxxxxxxxx -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-256-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -hmac-sha2-512-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -umac-128-etm@xxxxxxxxxxx -- mac algorithm to remove
(rec) -umac-128@xxxxxxxxxxx -- mac algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
#
# rpm -qa |grep openssh
openssh-clients-8.0p1-19.el8_8.x86_64
openssh-8.0p1-19.el8_8.x86_64
openssh-server-8.0p1-19.el8_8.x86_64
openssh-askpass-8.0p1-19.el8_8.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.9 (Ootpa)
#
openssh-clients-8.0p1-19.el8_8.x86_64
openssh-8.0p1-19.el8_8.x86_64
openssh-server-8.0p1-19.el8_8.x86_64
openssh-askpass-8.0p1-19.el8_8.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.9 (Ootpa)
#
I have attached the sshd_config file for your reference. Please suggest further. Thanks in advance
Best Regards,
Kaushal
You received this message because you are subscribed to the Google Groups "redhat-list@xxxxxxxxxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redhat-list+unsubscribe@xxxxxxxxxx.
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 9443 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in RHEL and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, # as it is more configurable and versatile than the built-in version. PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
