disallow specific ssh ciphers and/or MACS (white list approach)

kundai tinarwo

New Member
Joined
May 25, 2017
Messages
2
Reaction score
0
Credits
0
Hi people, I have a report detailing weak ssh ciphers on a system. How can I dis-allow these specific weak ciphers. The common solution which I am aware of is adding the following lines in sshd_config (which is a black list approach):

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160

The solution I am looking for is a config which in theory allows all ciphers and MACs except the weak ones (white list approach) as opposed to explicitly defining which ciphers to be allowed.
 


Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
914
Reaction score
1,729
Credits
1,123
I like the answer you got on stackexchange.. list the allowed ones in the sshd_config (white list) and you have the option of disallowing (blacklist) by putting - in front of them:

It depends on what OpenSSH version are you using. In versions below 7.5, you have no other option than you already said -- list all the white-listed algorithms.

Since OpenSSH 7.5 you can use - modifier, which will blacklist "bad" algorithms from the default set, such as

Code:
Ciphers -arcfour
MACs -hmac-md5
(from https://security.stackexchange.com/...c-ssh-ciphers-and-or-macs-white-list-approach)
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Latest posts

Top