Hardening SSH MAC algorithms

Comments

Hello,
I have a security requirement to disable all 96 bit and MD5 hash algorithms in SSH.

The MAC algorithms that are considered secure are:
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-512
hmac-sha2-256
umac-128@openssh.com

The SSH version installed in RHEL 7.3 appears to be OpenSSH 6.6. The command "sshd -T | grep macs" shows the supported MAC algorithms, and all of the above are included (plus a bunch of the MD5 and 96bit algorithms).

If I add a "macs" line to "/etc/ssh/sshd_config" to include just the secure algorithms above (by default there is no "macs" line added to sshd_config), the clients can't connect to the ssh server; I never get a login prompt; it just immediately drops the connection.

The client being used to connect is the most recent version of putty - I also tested it with a current trial commercial version of SSH and also a Tectia client, and get the same result from all of them.

I think I just must be missing an important step - any suggestions?

Paul

Started 2017-07-20T16:53:08+00:00 by

Paul Greene

Pro 540 points

Select Your Language

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links