Hardening SSH MAC algorithms
Hello,
I have a security requirement to disable all 96 bit and MD5 hash algorithms in SSH.
The MAC algorithms that are considered secure are:
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-512
hmac-sha2-256
umac-128@openssh.com
The SSH version installed in RHEL 7.3 appears to be OpenSSH 6.6. The command "sshd -T | grep macs" shows the supported MAC algorithms, and all of the above are included (plus a bunch of the MD5 and 96bit algorithms).
If I add a "macs" line to "/etc/ssh/sshd_config" to include just the secure algorithms above (by default there is no "macs" line added to sshd_config), the clients can't connect to the ssh server; I never get a login prompt; it just immediately drops the connection.
The client being used to connect is the most recent version of putty - I also tested it with a current trial commercial version of SSH and also a Tectia client, and get the same result from all of them.
I think I just must be missing an important step - any suggestions?
Paul
Responses
Paul,
When you added the macs line to sshd_config, does the 'sshd -T' output correctly show these as still available?
Have you confirmed that the sshd service is starting correctly after the config change?
systemctl status sshd
Can you see the sshd service listening after restart?
netstat -l
Is there anything in the systemd journal or ssh log files complaining about configuration issues?
This link may also assist in the configuration parameter you specify:
https://access.redhat.com/solutions/420283
Hi,
I use exactly the same MACs on RHEL 7.3 and CentOS 7.3 systems and they work fine for putty and SecureCRT (both recent versions):
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
I did observe that FileZilla had problem with one of the MACs though.
Regards,
DB
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
