cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Hi all,

I am trying to lock down the SSH config on an appliance to reject connections using the above ciphers and algorithms.

So have edited the sshd_config file  (which as far as can see does not have any reference to these ciphers or algorithms in it..), to include:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160


Restarting the sshd service works..

So the question is will the addition of these two lines to the foot of the sshd_config file prevent the use of SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms or do I need to do something further?

Any advice appreciated:-)

1 Solution

Accepted Solutions
Highlighted

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Editing the sshd_config file as described works. The second file does not require editing.

Thanks...

View solution in original post

2 Replies
Highlighted

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Update: any thoughts?

Was having a browse on the MWG and discovered this file:

etc/ssh/ssh_config

which contains

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

Host *

So if I replace the highlighted text above with:

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

Does this solve my issue..or do I still have to make the required change on both files and restart the SSH service?

Also...Do I need to remove the # on both lines in the file above?

Thanks,

🙂

Highlighted

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Editing the sshd_config file as described works. The second file does not require editing.

Thanks...

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community