Displaying 20 results from an estimated 3000 matches similar to: "enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS"
2024 Jan 25
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
Hi Kaushal,
I maintain a set of SSH hardening guides for various platforms,
including RHEL 8. You can find them here:
https://ssh-audit.com/hardening_guides.html
- Joe
--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
On Thu, 2024-01-25 at 18:39 +0530, Kaushal Shriyan wrote:
> Hi,
>
> I am running the below servers on Red Hat Enterprise
2024 Jan 26
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
On 25.01.24 14:09, Kaushal Shriyan wrote:
> I am running the below servers on Red Hat Enterprise Linux release 8.7
> How do I enable strong KexAlgorithms, Ciphers and MACs
On RHEL 8, you need to be aware that there are "crypto policies"
modifying sshd's behaviour, and it would likely be the *preferred*
method to inject your intended config changes *there* (unless they
2024 Jan 27
2
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
On Fri, Jan 26, 2024 at 7:24?PM Jochen Bern <Jochen.Bern at binect.de> wrote:
> On 25.01.24 14:09, Kaushal Shriyan wrote:
> > I am running the below servers on Red Hat Enterprise Linux release 8.7
> > How do I enable strong KexAlgorithms, Ciphers and MACs
>
> On RHEL 8, you need to be aware that there are "crypto policies"
> modifying sshd's behaviour,
2024 Jan 27
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
BTW based on your output it looks like the DEFAULT policy is just fine,
If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert
https://access.redhat.com/security/cve/cve-2023-48795
cipher at SSH = -CHACHA20-POLY1305
ssh_etm = 0
by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy
2015 Jan 07
4
[Bug 2333] New: forbid old Ciphers, KexAlgorithms and MACs by default
https://bugzilla.mindrot.org/show_bug.cgi?id=2333
Bug ID: 2333
Summary: forbid old Ciphers, KexAlgorithms and MACs by default
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee:
2018 Nov 23
2
Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
Il giorno gio 22 nov 2018 alle ore 21:24 Stuart Henderson
<stu at spacehopper.org> ha scritto:
>
> On 2018/11/22 19:55, owl700 at gmail.com wrote:
> > Hi, I have compatibility issues with the latest version of
> > openssh-server and an old dropbear client, the dopbear client stops at
> > preauth
> >
> > ov 22 14:34:03 myhostname sshd[3905]: debug1: Client
2016 Nov 08
4
one host only: ssh_dispatch_run_fatal
Darren Tucker <dtucker at zip.com.au> writes:
> On Tue, Nov 8, 2016 at 2:43 PM, Harry Putnam <reader at newsguy.com> wrote:
>> Darren Tucker <dtucker at zip.com.au> writes:
>>
>>> On Tue, Nov 8, 2016 at 1:02 PM, Harry Putnam <reader at newsguy.com> wrote:
>>> [...]
>>>> gv harry> ssh -vv 2x
>>>>
>>>>
2016 Oct 19
2
SSH Weak Ciphers
Am 19.10.2016 um 00:58 schrieb Gordon Messmer <gordon.messmer at gmail.com>:
> On 10/18/2016 03:28 PM, Clint Dilks wrote:
>> So first
>> question is are people generally modifying the list of ciphers supported by
>> the ssh client and sshd?
>
> I suspect that "generally" people are not. I do, because I can, and so that I can offer at least some advice
2018 Nov 22
2
Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
Hi, I have compatibility issues with the latest version of
openssh-server and an old dropbear client, the dopbear client stops at
preauth
ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version
2.0; client software version dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
2016 Oct 24
2
SSH fail to login due to hang over after authenticated.
Hi OpenSSH,
I encountered that SSH will hang over after I input the password.
Could you help show me how to resolve this problem? Thanks for your
help.
Please find the ssh debug info and my ssh version as below.
$ ssh -vvv user1 at remote_host
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/user1/.ssh/config
debug1: /Users/user1/.ssh/config line 36: Applying options for
2016 Oct 24
1
SSH fail to login due to hang over after authenticated.
Can you confirm if the problem is specific to the ssh client, or the ssh
server? (Try to ssh into the same server from different client, and to some
different server from the same client)
On Mon, Oct 24, 2016 at 9:41 PM, Jin Li <lijin.abc at gmail.com> wrote:
> Hi OpenSSH,
>
> I encountered that SSH will hang over after I input the password.
> Could you help show me how to
2016 Oct 18
7
SSH Weak Ciphers
Hi,
In a recent security review some systems I manage were flagged due to
supporting "weak" ciphers, specifically the ones listed below. So first
question is are people generally modifying the list of ciphers supported by
the ssh client and sshd?
On CentOS 6 currently it looks like if I remove all the ciphers they are
concerned about then I am left with Ciphers
2015 Jul 29
2
Updating from 6.6 - 6.9 SSH
And Server?
- Ben
Nick Stanoszek wrote:
> Please see below :). Just a note---this is the EXACT command that I
> use to log into the server BEFORE i try to update SSH. I continue to
> use this same command for other servers.
>
> Nicks-MacBook-Pro:Downloads$ ssh -i WHATEVERKEY.pem
> ubuntu at 54.200.249.185 <mailto:ubuntu at 54.200.249.185> -v -v -v -v
>
>
2017 May 02
2
playing around with removing algos
On Tue, May 02, 2017 at 06:17:47PM +0200, Cristian Ionescu-Idbohrn wrote:
> $ ssh -vvv -oMacs=umac-64 at openssh.com localhost : 2>&1 | egrep -i 'macs|umac'
> debug2: MACs ctos: umac-64 at openssh.com
> debug2: MACs stoc: umac-64 at openssh.com
> debug2: MACs ctos: umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm
2015 Jul 29
3
Updating from 6.6 - 6.9 SSH
No I'm referring to "sshd -ddd" (preferrable on a high port like -p
8080 so you don't break your current ability to connect to the
machine). As clearly the server is rejecting it. And only the server
side debug can tell us that.
- Ben
Nick Stanoszek wrote:
> I am using an AWS ubuntu 14.04 server...is that what you are asking?
>
> On Tue, Jul 28, 2015 at 10:00 PM,
2014 Mar 27
1
AIX SFTP with chroot : conection closed without error message
Hello,
I'm trying to setup a chroot for one user on my AIX 5.2 system
I have tried with openssh 5.0 (don't know where it comes from) and as it
didn't work, I have downloaded and compiled the current version (6.6p1)
When I connect, password is checked, chroot is done, sftp subsystem is
accepted, but I get disconnected without any error
Below is all can say about my config (after
2017 Jan 20
2
^C doesnt work on ssh session
Thanks Darren, will check on your response.
I am attaching sshd, ssh logs with debug flags. Please see if it gives any
hint:
when I press ^C in ssh session, no log gets printed in both server/client
side.
Best Regards,
On Wed, Jan 18, 2017 at 3:09 AM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Wed, Jan 18, 2017 at 5:10 AM, Sudarshan Soma <sudarshan12s at gmail.com>
2018 Apr 24
2
AIX make checks issue
On 23/04/2018 11:49, Michael Felt wrote:
> On 21/04/2018 16:21, Michael Felt wrote:
>
>
> Question: I have not dug into the tests yet. Will copy to a "local"
> directory, and not build out of tree and see if that fixes it (as it
> does for many other packages). However, just in case it does not - how
> can I fast-forward the tests to the "agent" tests?
2016 Oct 24
2
SSH fail to login due to hang over after authenticated.
I don't think it will be easy to identify the problem remotely. You can try
logging in with password (if not disabled), or sshing with some other key,
or logging into some other user. If you are able to get access to the
machine, post the server's error log here.
On Mon, Oct 24, 2016 at 9:55 PM, Jin Li <lijin.abc at gmail.com> wrote:
> Hi Tanmay,
>
> The server is not
2017 Jan 27
4
Notes on openssh configuration
Hello list,
To my astonishment the openssh versions on both C6 and C7 will by
default negotiate an MD5 HMAC.
C6 client, C7 server:
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
C7 client & server:
debug2: mac_setup: setup hmac-md5-etm at openssh.com
debug1: