Jochen Bern
2024-Jan-26 13:48 UTC
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
On 25.01.24 14:09, Kaushal Shriyan wrote:> I am running the below servers on Red Hat Enterprise Linux release 8.7 > How do I enable strong KexAlgorithms, Ciphers and MACsOn RHEL 8, you need to be aware that there are "crypto policies" modifying sshd's behaviour, and it would likely be the *preferred* method to inject your intended config changes *there* (unless they happen to already be part of an existing policy, like FUTURE). https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240126/7a12af64/attachment-0001.p7s>
Kaushal Shriyan
2024-Jan-27 15:24 UTC
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
On Fri, Jan 26, 2024 at 7:24?PM Jochen Bern <Jochen.Bern at binect.de> wrote:> On 25.01.24 14:09, Kaushal Shriyan wrote: > > I am running the below servers on Red Hat Enterprise Linux release 8.7 > > How do I enable strong KexAlgorithms, Ciphers and MACs > > On RHEL 8, you need to be aware that there are "crypto policies" > modifying sshd's behaviour, and it would likely be the *preferred* > method to inject your intended config changes *there* (unless they > happen to already be part of an existing policy, like FUTURE). > > > https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devThanks Jochen for the quick response. Much appreciated. I have followed https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening by setting the crypto policies as per below. Starting audit of 192.168.0.108:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256 at libssh.org -- [info] default key exchange since OpenSSH 6.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305 at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9 (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8 (fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -chacha20-poly1305 at openssh.com -- enc algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> #update-crypto-policies --set FIPS # update-crypto-policies --show FIPS #./ssh-audit.py -vvv localhost Starting audit of localhost:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear SSH 2016.73+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 # encryption algorithms (ciphers) (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes256-cbc -- [warn] using weak cipher mode (enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-cbc -- [warn] using weak cipher mode (enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm at openssh.com -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha1-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # fingerprints (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm at openssh.com -- mac algorithm to remove (rec) +aes192-ctr -- enc algorithm to append (rec) +curve25519-sha256 -- kex algorithm to append (rec) +curve25519-sha256 at libssh.org -- kex algorithm to append (rec) +ssh-ed25519 -- key algorithm to append (rec) -aes128-cbc -- enc algorithm to remove (rec) -aes256-cbc -- enc algorithm to remove (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-256-etm at openssh.com -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -hmac-sha2-512-etm at openssh.com -- mac algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> #update-crypto-policies --set FUTURE #update-crypto-policies --show FUTURE # I still see vulnerability while ./ssh-audit.py -vvv 192.168.0.108 # ./ssh-audit.py -vvv 192.168.0.108 # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+ (gen) compression: enabled (zlib at openssh.com) # key exchange algorithms (kex) curve25519-sha256 -- [warn] unknown algorithm (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves (kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves (kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves (kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak) (kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 # host-key algorithms (key) rsa-sha2-512 -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9. (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) umac-128 at openssh.com -- [warn] using encrypt-and-MAC mode (mac) umac-128 at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # algorithm recommendations (for OpenSSH 8.0) (rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) +diffie-hellman-group14-sha256 -- kex algorithm to append (rec) +ssh-rsa -- key algorithm to append (rec) +aes128-ctr -- enc algorithm to append (rec) +aes192-ctr -- enc algorithm to append (rec) +aes128-gcm at openssh.com -- enc algorithm to append (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -umac-128 at openssh.com -- mac algorithm to remove # #update-crypto-policies --set DEFAULT # update-crypto-policies --show DEFAULT # ./ssh-audit.py -vvv localhost Starting audit of localhost:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256 at libssh.org -- [info] default key exchange since OpenSSH 6.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305 at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9 (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8 (fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -chacha20-poly1305 at openssh.com -- enc algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> # # update-crypto-policies --set LEGACY Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. # update-crypto-policies --show LEGACY # ./ssh-audit.py -vvv localhost Starting audit of localhost:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256 at libssh.org -- [info] default key exchange since OpenSSH 6.4 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [fail] using broken SHA-1 hash algorithm (kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm (kex) diffie-hellman-group14-sha1 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength (kex) diffie-hellman-group14-sha1 -- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-rsa (4096-bit) -- [fail] using broken SHA-1 hash algorithm (key) ssh-rsa (4096-bit) -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 (key) ssh-rsa (4096-bit) -- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) chacha20-poly1305 at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes256-cbc -- [warn] using weak cipher mode (enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-cbc -- [warn] using weak cipher mode (enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 (enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher (enc) 3des-cbc -- [warn] using weak cipher mode (enc) 3des-cbc -- [warn] using small 64-bit block size (enc) 3des-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) 3des-cbc -- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm at openssh.com -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha1-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 (mac) umac-128 at openssh.com -- [warn] using encrypt-and-MAC mode (mac) umac-128 at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # fingerprints (fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8 (fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -3des-cbc -- enc algorithm to remove (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm at openssh.com -- mac algorithm to remove (rec) -ssh-rsa -- key algorithm to remove (rec) +aes192-ctr -- enc algorithm to append (rec) -aes128-cbc -- enc algorithm to remove (rec) -aes256-cbc -- enc algorithm to remove (rec) -chacha20-poly1305 at openssh.com -- enc algorithm to remove (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-256-etm at openssh.com -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -hmac-sha2-512-etm at openssh.com -- mac algorithm to remove (rec) -umac-128-etm at openssh.com -- mac algorithm to remove (rec) -umac-128 at openssh.com -- mac algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> # # rpm -qa |grep openssh openssh-clients-8.0p1-19.el8_8.x86_64 openssh-8.0p1-19.el8_8.x86_64 openssh-server-8.0p1-19.el8_8.x86_64 openssh-askpass-8.0p1-19.el8_8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.9 (Ootpa) # Please suggest further. Thanks in advance Best Regards, Kaushal -------------- next part -------------- # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 9443 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in RHEL and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, # as it is more configurable and versatile than the built-in version. PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
Possibly Parallel Threads
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- [Portable OpenSSH] hang up during login after OpenSSH 7.3 upgrade
- one host only: ssh_dispatch_run_fatal
- Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
- Custom PAM module not working correctly