disallow specific ssh ciphers and/or MACS (white list approach)

K

kundai tinarwo

New Member
Joined
May 25, 2017
Messages
2
Reaction score
0
Credits
0
Hi people, I have a report detailing weak ssh ciphers on a system. How can I dis-allow these specific weak ciphers. The common solution which I am aware of is adding the following lines in sshd_config (which is a black list approach):

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160

The solution I am looking for is a config which in theory allows all ciphers and MACs except the weak ones (white list approach) as opposed to explicitly defining which ciphers to be allowed.
 


Rob

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
1,006
Reaction score
1,942
Credits
1,969
I like the answer you got on stackexchange.. list the allowed ones in the sshd_config (white list) and you have the option of disallowing (blacklist) by putting - in front of them:

It depends on what OpenSSH version are you using. In versions below 7.5, you have no other option than you already said -- list all the white-listed algorithms.

Since OpenSSH 7.5 you can use - modifier, which will blacklist "bad" algorithms from the default set, such as

Code: 
Ciphers -arcfour
MACs -hmac-md5
Click to expand...
(from https://security.stackexchange.com/...c-ssh-ciphers-and-or-macs-white-list-approach)
 
You must log in or register to reply here.
MALIBAL Linux Laptops

Linux Laptops Custom Built for You
MALIBAL is an innovative computer manufacturer that produces high-performance, custom laptops for Linux.

For more info, visit: https://www.malibal.com

Staff online

Members online

Total: 395 (members: 4, guests: 391)

Latest posts

Top