[CentOS] Notes on openssh configuration

Leonard den Ottolander

leonard at den.ottolander.nl
Fri Jan 27 18:03:18 UTC 2017


Hello list,

To my astonishment the openssh versions on both C6 and C7 will by
default negotiate an MD5 HMAC.

C6 client, C7 server:

debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none

C7 client & server:

debug2: mac_setup: setup hmac-md5-etm at openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
debug2: mac_setup: setup hmac-md5-etm at openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none

I reported this issue upstream:
https://bugzilla.redhat.com/show_bug.cgi?id=1417263
https://bugzilla.redhat.com/show_bug.cgi?id=1417264

You might want to add

MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-512,hmac-sha2-256-etm at openssh.com,hmac-sha2-256,hmac-sha1-etm at openssh.com,hmac-sha1,hmac-ripemd160-etm at openssh.com,hmac-ripemd160 at openssh.com,hmac-ripemd160,umac-128 at openssh.com,umac-128-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-sha1-96,umac-64-etm at openssh.com,umac-64 at openssh.com

to your C7 ssh_config and sshd_config, or

MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,umac-64 at openssh.com,hmac-sha1-96

to your C6 ssh_config and sshd_config.

You might also want to prune your cipher list to exclude RC4 = arcfour
ciphers with the option "Ciphers". Compare
http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research





More information about the CentOS mailing list