cancel
Showing results for 
Search instead for 
Did you mean: 

SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Hi all,

I am trying to lock down the SSH config on an appliance to reject connections using the above ciphers and algorithms.

So have edited the sshd_config file  (which as far as can see does not have any reference to these ciphers or algorithms in it..), to include:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160


Restarting the sshd service works..

So the question is will the addition of these two lines to the foot of the sshd_config file prevent the use of SSH Server CBC Mode Ciphers  & SSH Weak MAC Algorithms or do I need to do something further?

Any advice appreciated:-)

1 Solution

Accepted Solutions

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Editing the sshd_config file as described works. The second file does not require editing.

Thanks...

2 Replies

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Update: any thoughts?

Was having a browse on the MWG and discovered this file:

etc/ssh/ssh_config

which contains

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

Host *

So if I replace the highlighted text above with:

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   GSSAPIKeyExchange no

#   GSSAPITrustDNS no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

Does this solve my issue..or do I still have to make the required change on both files and restart the SSH service?

Also...Do I need to remove the # on both lines in the file above?

Thanks,

:-)

Re: SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms

Jump to solution

Editing the sshd_config file as described works. The second file does not require editing.

Thanks...

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.