Disable Weak Key Exchange Algorithm, CBC Mode in SSH
source link: https://blog.51cto.com/wemux/5576385
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Disable Weak Key Exchange Algorithm, CBC Mode in SSH
原创Backup /etc/sysconfig/sshd and /etc/ssh/sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before
Edit /etc/sysconfig/sshd to uncomment the CRYPTO_POLICY setting
from:
Copy the following ciphers, MACs, and KexAlgorithms to /etc/ssh/sshd_config.
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
Verify the configuration file before restarting the SSH server.
If there are no errors reported, then restart the SSHD service.
Test weak CBC ciphers by executing the below command.
<server>
If successful, it will prompt for a password. This means weak ciphers are enabled.
If it fails, indicating cbc ciphers are disabled, you should receive a message like this:
Their offer: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
To test if weak MAC algorithms are enabled, run the below command:
RHEL8 default ciphers include a number which have implicit MACs, testing like above will actually negotiate successfully and securely even though it would appear it is using hmac-md5. Look for the concluding negotiation where you will see something similar to:
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK