Kaushal Shriyan
2024-Jan-27 15:24 UTC
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
On Fri, Jan 26, 2024 at 7:24?PM Jochen Bern <Jochen.Bern at binect.de> wrote:> On 25.01.24 14:09, Kaushal Shriyan wrote: > > I am running the below servers on Red Hat Enterprise Linux release 8.7 > > How do I enable strong KexAlgorithms, Ciphers and MACs > > On RHEL 8, you need to be aware that there are "crypto policies" > modifying sshd's behaviour, and it would likely be the *preferred* > method to inject your intended config changes *there* (unless they > happen to already be part of an existing policy, like FUTURE). > > > https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devThanks Jochen for the quick response. Much appreciated. I have followed https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening by setting the crypto policies as per below. Starting audit of 192.168.0.108:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256 at libssh.org -- [info] default key exchange since OpenSSH 6.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305 at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9 (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8 (fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -chacha20-poly1305 at openssh.com -- enc algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> #update-crypto-policies --set FIPS # update-crypto-policies --show FIPS #./ssh-audit.py -vvv localhost Starting audit of localhost:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear SSH 2016.73+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 # encryption algorithms (ciphers) (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes256-cbc -- [warn] using weak cipher mode (enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-cbc -- [warn] using weak cipher mode (enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm at openssh.com -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha1-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # fingerprints (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm at openssh.com -- mac algorithm to remove (rec) +aes192-ctr -- enc algorithm to append (rec) +curve25519-sha256 -- kex algorithm to append (rec) +curve25519-sha256 at libssh.org -- kex algorithm to append (rec) +ssh-ed25519 -- key algorithm to append (rec) -aes128-cbc -- enc algorithm to remove (rec) -aes256-cbc -- enc algorithm to remove (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-256-etm at openssh.com -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -hmac-sha2-512-etm at openssh.com -- mac algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> #update-crypto-policies --set FUTURE #update-crypto-policies --show FUTURE # I still see vulnerability while ./ssh-audit.py -vvv 192.168.0.108 # ./ssh-audit.py -vvv 192.168.0.108 # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+ (gen) compression: enabled (zlib at openssh.com) # key exchange algorithms (kex) curve25519-sha256 -- [warn] unknown algorithm (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves (kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves (kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves (kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak) (kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 # host-key algorithms (key) rsa-sha2-512 -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9. (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) umac-128 at openssh.com -- [warn] using encrypt-and-MAC mode (mac) umac-128 at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # algorithm recommendations (for OpenSSH 8.0) (rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) +diffie-hellman-group14-sha256 -- kex algorithm to append (rec) +ssh-rsa -- key algorithm to append (rec) +aes128-ctr -- enc algorithm to append (rec) +aes192-ctr -- enc algorithm to append (rec) +aes128-gcm at openssh.com -- enc algorithm to append (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -umac-128 at openssh.com -- mac algorithm to remove # #update-crypto-policies --set DEFAULT # update-crypto-policies --show DEFAULT # ./ssh-audit.py -vvv localhost Starting audit of localhost:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256 at libssh.org -- [info] default key exchange since OpenSSH 6.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305 at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9 (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8 (fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -chacha20-poly1305 at openssh.com -- enc algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> # # update-crypto-policies --set LEGACY Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. # update-crypto-policies --show LEGACY # ./ssh-audit.py -vvv localhost Starting audit of localhost:22... # general (gen) banner: SSH-2.0-OpenSSH_8.0 (gen) software: OpenSSH 8.0 (gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+ (gen) compression: enabled (zlib at openssh.com) # security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256 at libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256 at libssh.org -- [info] default key exchange since OpenSSH 6.4 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [fail] using broken SHA-1 hash algorithm (kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group-exchange-sha1 (3072-bit) -- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm (kex) diffie-hellman-group14-sha1 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength (kex) diffie-hellman-group14-sha1 -- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 # host-key algorithms (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-rsa (4096-bit) -- [fail] using broken SHA-1 hash algorithm (key) ssh-rsa (4096-bit) -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 (key) ssh-rsa (4096-bit) -- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) aes256-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) chacha20-poly1305 at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305 at openssh.com -- [info] available since OpenSSH 6.5 (enc) chacha20-poly1305 at openssh.com -- [info] default cipher since OpenSSH 6.9 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes256-cbc -- [warn] using weak cipher mode (enc) aes256-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes256-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 (enc) aes128-gcm at openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-cbc -- [warn] using weak cipher mode (enc) aes128-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) aes128-cbc -- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 (enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher (enc) 3des-cbc -- [warn] using weak cipher mode (enc) 3des-cbc -- [warn] using small 64-bit block size (enc) 3des-cbc -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) 3des-cbc -- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 # message authentication code algorithms (mac) hmac-sha2-256-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-256-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm at openssh.com -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha1-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) umac-128-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm at openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (mac) hmac-sha2-512-etm at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-256 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha1 -- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 (mac) umac-128 at openssh.com -- [warn] using encrypt-and-MAC mode (mac) umac-128 at openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode (mac) hmac-sha2-512 -- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # fingerprints (fin) ssh-ed25519: SHA256:LF2lloHchhKq5Y0gZa9MFsK/wBVTd2sadVjFortIBy8 (fin) ssh-ed25519: MD5:67:c2:e6:8d:23:13:8a:54:1e:75:ff:66:4e:1e:8b:87 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case (fin) ssh-rsa: SHA256:nTCMABhBfu68qgS6PXAJHDFlahvVQB5LbMPx5hgWBZQ (fin) ssh-rsa: MD5:2d:ab:3a:4f:8e:dc:69:69:96:11:86:56:ce:a6:1a:c1 -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case # algorithm recommendations (for OpenSSH 8.0) (rec) -3des-cbc -- enc algorithm to remove (rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm at openssh.com -- mac algorithm to remove (rec) -ssh-rsa -- key algorithm to remove (rec) +aes192-ctr -- enc algorithm to append (rec) -aes128-cbc -- enc algorithm to remove (rec) -aes256-cbc -- enc algorithm to remove (rec) -chacha20-poly1305 at openssh.com -- enc algorithm to remove (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-256-etm at openssh.com -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -hmac-sha2-512-etm at openssh.com -- mac algorithm to remove (rec) -umac-128-etm at openssh.com -- mac algorithm to remove (rec) -umac-128 at openssh.com -- mac algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html> # # rpm -qa |grep openssh openssh-clients-8.0p1-19.el8_8.x86_64 openssh-8.0p1-19.el8_8.x86_64 openssh-server-8.0p1-19.el8_8.x86_64 openssh-askpass-8.0p1-19.el8_8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.9 (Ootpa) # Please suggest further. Thanks in advance Best Regards, Kaushal -------------- next part -------------- # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 9443 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in RHEL and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, # as it is more configurable and versatile than the built-in version. PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
Bernd Eckenfels
2024-Jan-27 16:48 UTC
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
Hello, you can worry all you want about algorithm hardening, but if you have an old openssh version without strict-kex I think ssh-audit does not validate if the CVEs it complains are fixed in a vendor version, but I would also check with Redhat if you have applied those errate as well. Given that your system also is missing the terrapin fix.. Kaushal Shriyan wrote on 27.01.2024 16:24 (GMT +01:00):> Starting audit of 192.168.0.108:22... > # general > (gen) banner: SSH-2.0-OpenSSH_8.0 > (gen) software: OpenSSH 8.0 > (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ > (gen) compression: enabled (zlib at openssh.com) > > # security > (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege > escalation via supplemental groups > (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command > injection via anomalous argument transfers > (cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory > corruption and local code execution via pre-authentication integer > overflow > (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate > usernames via challenge response > > # key exchange algorithms...>(NB: it is supposed to list this at the end: (kex) kex-strict-s-v00 at openssh.com -- [info] pseudo-algorithm that denotes the peer...(CVE-2023-48795) Having said that none of the pre-made RHEL crypto policies can be considered optimal for SSH hardening, you would need to modify single algorithms, however i would recomment dont waste your tie with it and get your software updated instead. gruss bernd
Bernd Eckenfels
2024-Jan-27 19:18 UTC
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
BTW based on your output it looks like the DEFAULT policy is just fine, If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert https://access.redhat.com/security/cve/cve-2023-48795 cipher at SSH = -CHACHA20-POLY1305 ssh_etm = 0 by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server. However I would NOT do that (since those ciphers are the modern alternatives), and instead update to openssh-server-8.0p1-15.el8_6.3.x86_64.rpm (see https://access.redhat.com/errata/RHSA-2024:0429) Gruss Bernd
Reasonably Related Threads
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- PrivateKeyCommand config idea
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) on Red Hat Enterprise Linux release 8.7 (Ootpa)
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS