{"id":6913,"date":"2017-08-25T14:15:04","date_gmt":"2017-08-25T06:15:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=6913"},"modified":"2017-08-25T14:54:00","modified_gmt":"2017-08-25T06:54:00","slug":"ssh-vulnerabilities-hmac-algorithms-and-cbc-ciphers","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6913","title":{"rendered":"SSH vulnerabilities: HMAC algorithms and CBC ciphers"},"content":{"rendered":"<p>e defaults in the various RHEL version differ and the current default can be found in manual page for\u00a0<code>sshd_config<\/code>. For example RHEL6:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>The default is:\r\n                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,\r\n                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,\r\n                aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\n<\/code><\/pre>\n<\/div>\n<p>You can remove the CBC ciphers by adding the line for\u00a0<strong>RHEL7<\/strong>:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour\r\n<\/code><\/pre>\n<\/div>\n<p>The line for\u00a0<strong>RHEL6<\/strong>:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour\r\n<\/code><\/pre>\n<\/div>\n<p>The line for\u00a0<strong>RHEL5<\/strong>\u00a0(note the order of ciphers &#8211; the RC4 cipher is also known for several vulnerabilities and should not be used):<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>Ciphers aes128-ctr,aes192-ctr,aes256-ctr',arcfour128,arcfour256,arcfour\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>Restart\u00a0<code>sshd<\/code>\u00a0to apply the changes:<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code># service sshd restart<\/code><\/pre>\n<h3>D5 HMACs<\/h3>\n<ul>\n<li>In order to remove\u00a0<strong>HMAC MD5<\/strong>, add or modify the &#8220;MACs&#8221; line in\u00a0<code>\/etc\/ssh\/sshd_config<\/code>\u00a0as below.<\/li>\n<\/ul>\n<p>The defaults in the various RHEL version differ and the current default can be found in manual page for\u00a0<code>sshd_config<\/code>. For example RHEL6:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>The default is:\r\n                   hmac-md5,hmac-sha1,umac-64@openssh.com,\r\n                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,\r\n                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com\r\n<\/code><\/pre>\n<\/div>\n<p>You can remove the hmac-md5 MACs by adding a line to\u00a0<code>\/etc\/ssh\/sshd_config<\/code>\u00a0for\u00a0<strong>RHEL7<\/strong>:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160\r\n<\/code><\/pre>\n<\/div>\n<p>The line for the\u00a0<strong>RHEL6<\/strong>:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com\r\n<\/code><\/pre>\n<\/div>\n<p>The line for\u00a0<strong>RHEL5<\/strong>:<\/p>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code>MACs hmac-sha1,hmac-ripemd160\r\n<\/code><\/pre>\n<\/div>\n<ul>\n<li>Restart\u00a0<code>sshd<\/code>\u00a0to apply the changes:<\/li>\n<\/ul>\n<div class=\"code-raw\">\n<div class=\"code-raw-toolbar\"><\/div>\n<pre><code># service sshd restart<\/code><\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>e defaults in the various RHEL version differ and the current default can be found in manual page for sshd_config. For example RHEL6:<\/p>\n<p> The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se <\/p>\n<p>You can remove the CBC ciphers by adding the line for RHEL7:<\/p>\n<p> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour <\/p>\n<p>The line for RHEL6:<\/p>\n<p> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour <\/p>\n<p>The line for RHEL5 (note the [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6913"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6913"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6913\/revisions"}],"predecessor-version":[{"id":6917,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6913\/revisions\/6917"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}