Hardening SSH MAC algorithms

Latest response

Hello,
I have a security requirement to disable all 96 bit and MD5 hash algorithms in SSH.

The MAC algorithms that are considered secure are:
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-512
hmac-sha2-256
umac-128@openssh.com

The SSH version installed in RHEL 7.3 appears to be OpenSSH 6.6. The command "sshd -T | grep macs" shows the supported MAC algorithms, and all of the above are included (plus a bunch of the MD5 and 96bit algorithms).

If I add a "macs" line to "/etc/ssh/sshd_config" to include just the secure algorithms above (by default there is no "macs" line added to sshd_config), the clients can't connect to the ssh server; I never get a login prompt; it just immediately drops the connection.

The client being used to connect is the most recent version of putty - I also tested it with a current trial commercial version of SSH and also a Tectia client, and get the same result from all of them.

I think I just must be missing an important step - any suggestions?

Paul

Responses

Paul,

When you added the macs line to sshd_config, does the 'sshd -T' output correctly show these as still available?

Have you confirmed that the sshd service is starting correctly after the config change?

systemctl status sshd

Can you see the sshd service listening after restart?

netstat -l

Is there anything in the systemd journal or ssh log files complaining about configuration issues?

This link may also assist in the configuration parameter you specify:
https://access.redhat.com/solutions/420283

Thanks. I used the MACs line that was in that link and that worked. Previously I had removed anything that had an MD in the name, sha1, or anything that seemed to indicate 96 bit. I think it probably needed one of the ones below that I'd removed.

MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

Hi,

I use exactly the same MACs on RHEL 7.3 and CentOS 7.3 systems and they work fine for putty and SecureCRT (both recent versions):

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

I did observe that FileZilla had problem with one of the MACs though.

Regards,

DB

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.