Site Navigation

Date:      Wed, 9 Feb 2022 15:27:41 -0500
From:      Jon Radel <jon@radel.com>
To:        Dale Scott <dalescott@shaw.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: how to disable support for MD5 in ssh server
Message-ID:  <4776E413-18B8-42D0-AA56-DDF7F376736B@radel.com>
In-Reply-To: <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca>
References:  <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]
It would be in the macs, not ciphers.  Not that that changes the fact that it’s been some time since any of the default macs used md5. 

You might get a second opinion on what’s happening using a tool such as jtesta/ssh-audit on GitHub. 

And I’d be tempted to explicitly set the macs to what the man page said they’re supposed to be. It’s not completely unknown for a man page and program to get out of sync. 

--Jon Radel
jon@radel.com

> On Feb 9, 2022, at 1:40 PM, Dale Scott <dalescott@shaw.ca> wrote:
> 
> Hi all, I'm a security novice so I signed up with SecurityScorecard for a review.
> 
> My scorecard has 3 points subtracted because "The SSH server is configured to support MD5 algorithm." 
> 
> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD5 in defaults.
> 
> I also don't see MD5 listed in the response to "# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
> 
> The only edit I have made to the default /etc/ssh/sshd_config was to disable password login (to allow ssh only).
> 
> What am I not understanding? Google hasn't been much help, although I expect I haven't been asking the right question.
> 
> Should I disable MD5 as recommended, and how?
> 
> 
> % uname -a
> FreeBSD starlord 13.0-RELEASE-p7 FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 18:24:03 UTC 2022     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
> 
> Many thanks in advance,
> Dale
> 
> P.S. 
> 
> 
> 

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e
0�	*�H��


��0�0��
y]�2ck�[�HОD0
	*�H��


0��10	UGB10UGreater Manchester10USalford10U
Sectigo Limited1>0<U5Sectigo RSA Client Authentication and Secure Email CA0
210301000000Z
240229235959Z010	*�H��

	

jon@radel.com0�
"0
	*�H��



�
0�

�

���u|0~�f�4{�.��4�%\���2��
;$�+fY�Ͳ�,��Ȼ�"3��*�ב
!�/k0��E�1�ɽ�s�p������
S���fxI�P�H�:�Õ6���U�vd�Q~�Ǯr�
�\�d�&�@_q�~��U�n5K|�~FZt&H|!���D��1jyw!���~T�D��g>P�
)ҟ�V�+�r�q����<�dc
�$\�LBnD�Ae��z��Mu&���?B�l=޳'���,�ua�ޱLY�9u

��
�0�
�0U#0�	���ڔ�_�+ߨ�B���0U�+R��Ǫa�"o���s���0U

��0U

�00U%0+
+
0@U 90705+

�1



0%0#+

https://sectigo.com/CPS0ZUS0Q0O�M�K�Ihttp://crl.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crl0��+


~0|0U+
0�Ihttp://crt.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crt0#+
0
�http://ocsp.sectigo.com0U0�
jon@radel.com0
	*�H��


�

/�|��
���G\�yߏ������)�i���`�떽�3ͼiR�,
���
�AZ�jVy8��.	���m��g\�KR����Ɠ��߾a�.�C�#��p�}8l�T���D�VN7N�6ε4j�	8E��-/]��f�2�;W�Qa�qey�m�!Hze��P�^�Kx�"�E"�]ʢ�Q����-
��bZr`��c�ʫ���#�M�F_a��O�3.��)���Uڀږ���ag�1��0��

0��0��10	UGB10UGreater Manchester10USalford10U
Sectigo Limited1>0<U5Sectigo RSA Client Authentication and Secure Email CAy]�2ck�[�HОD0
	`�H
e
��
�0	*�H��

	1	*�H��


0	*�H��

	1
220209202741Z0/	*�H��

	1" _;�S!u�o�5�cՄ�8�����d
U��8C:0��	+

�71��0��0��10	UGB10UGreater Manchester10USalford10U
Sectigo Limited1>0<U5Sectigo RSA Client Authentication and Secure Email CAy]�2ck�[�HОD0��*�H��

	1�����0��10	UGB10UGreater Manchester10USalford10U
Sectigo Limited1>0<U5Sectigo RSA Client Authentication and Secure Email CAy]�2ck�[�HОD0
	*�H��


�
=EH�lA��`�C/3Z�n[xdy�i]ԪE&
��IP�~t/�T�p]_β�_r� :ᙬ7�4�NW:Mr����֢���p�M�T�֬��� �d>���7nB�xq�Eu�H;�!C�����L&���U��p���E���Mg�(�&`���莈��a�Q��,H>
E�M��K"�0��D��yk��Lψ�PR��,��w������=j*a"Y#���S�@d�Ҋ�(Bd�#TL���R�ŀ�q�V�*�R2ā

help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4776E413-18B8-42D0-AA56-DDF7F376736B>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact