I am trying to lock down the SSH config on an appliance to reject connections using the above ciphers and algorithms.
So have edited the sshd_config file (which as far as can see does not have any reference to these ciphers or algorithms in it..), to include:
Restarting the sshd service works..
So the question is will the addition of these two lines to the foot of the sshd_config file prevent the use of SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms or do I need to do something further?
Any advice appreciated:-)
Go to Solution.
Editing the sshd_config file as described works. The second file does not require editing.
Update: any thoughts?
Was having a browse on the MWG and discovered this file:
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,firstname.lastname@example.org,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
So if I replace the highlighted text above with:
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
# MACs hmac-sha1,email@example.com,hmac-ripemd160
Does this solve my issue..or do I still have to make the required change on both files and restart the SSH service?
Also...Do I need to remove the # on both lines in the file above?
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC