Date: Wed, 9 Feb 2022 15:27:41 -0500 From: Jon Radel <jon@radel.com> To: Dale Scott <dalescott@shaw.ca> Cc: freebsd-questions@freebsd.org Subject: Re: how to disable support for MD5 in ssh server Message-ID: <4776E413-18B8-42D0-AA56-DDF7F376736B@radel.com> In-Reply-To: <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca> References: <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-92C2C1D7-00A3-4D44-96E0-2ABBF07A7F48 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable It would be in the macs, not ciphers. Not that that changes the fact that i= t=E2=80=99s been some time since any of the default macs used md5.=20 You might get a second opinion on what=E2=80=99s happening using a tool such= as jtesta/ssh-audit on GitHub.=20 And I=E2=80=99d be tempted to explicitly set the macs to what the man page s= aid they=E2=80=99re supposed to be. It=E2=80=99s not completely unknown for a= man page and program to get out of sync.=20 --Jon Radel jon@radel.com > On Feb 9, 2022, at 1:40 PM, Dale Scott <dalescott@shaw.ca> wrote: >=20 > =EF=BB=BFHi all, I'm a security novice so I signed up with SecurityScoreca= rd for a review. >=20 > My scorecard has 3 points subtracted because "The SSH server is configured= to support MD5 algorithm."=20 >=20 > I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include M= D5 in defaults. >=20 > I also don't see MD5 listed in the response to "# sshd -T | grep "\(cipher= s\|macs\|kexalgorithms\)" >=20 > The only edit I have made to the default /etc/ssh/sshd_config was to disab= le password login (to allow ssh only). >=20 > What am I not understanding? Google hasn't been much help, although I expe= ct I haven't been asking the right question. >=20 > Should I disable MD5 as recommended, and how? >=20 >=20 > % uname -a > FreeBSD starlord 13.0-RELEASE-p7 FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 18= :24:03 UTC 2022 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd6= 4.amd64/sys/GENERIC amd64 >=20 > Many thanks in advance, > Dale >=20 > P.S.=20 >=20 >=20 >=20 --Apple-Mail-92C2C1D7-00A3-4D44-96E0-2ABBF07A7F48 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBQsw ggUHMIID76ADAgECAhB5XQyLMmNrxQZbFPpI0J5EMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD VQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTIxMDMwMTAwMDAwMFoXDTI0MDIyOTIzNTk1 OVowHjEcMBoGCSqGSIb3DQEJARYNam9uQHJhZGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBANfZ5xF1DnwwfsRmizR7hi6H8jSNJVzYB5DvMoOyDTsk2itmWaDNsrwsgvfIu9ki M6bluirq15ENIeovazDM90XvsDHvyb2Dc5dwirCskq+FDVOeoOJmeEkPG9ZQjkjbOvLDlTb0ttNV lHZkHfVRfpvHrnK7ChaDFlzhZJkm50Bfceh+j6FVnW41Bkt8l35GWnQmB0h8IaDa0BdEt74xahd5 dyGXhPZ+VIZE1eFnPgJQ/Q0p0p/dVoIru3KmcQaaGsnC86CgPMhkCGMK4CRcyUxCbkTiQWXjALl6 salNEHUmgcDUPxlCrxNsPQDesyeopBmILIJ1YZresQBMf1n/OXUCAwEAAaOCAcYwggHCMB8GA1Ud IwQYMBaAFAnA8vwL2pTbX/4r36iZQs/J4K0AMB0GA1UdDgQWBBS0K1Ke3seqYfUib4TO/HMXt+sW 8TAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYB BQUHAwIwQAYDVR0gBDkwNzA1BgwrBgEEAbIxAQIBAQEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9z ZWN0aWdvLmNvbS9DUFMwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T ZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBigYIKwYB BQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FD bGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRw Oi8vb2NzcC5zZWN0aWdvLmNvbTAYBgNVHREEETAPgQ1qb25AcmFkZWwuY29tMA0GCSqGSIb3DQEB CwUAA4IBAQAv6HwEExfiqgIM0g2RrZhHXOqxDnnfjxf4Dv6+GruTySmeaZyq9mDQ65a9jTPNvGlS 0gssCsPp7A0K+UFa7QhqVnk42PguHRsJ3BKjoW2dh2dcGNl/S1Lc6+32xpPB9d++YZ4u30MQshoj 6c5w6wt9OBVs6qdUG3+Vv9NEq1ZON07WNs61NGrcCThFloktL12eAhqmZuoyHJ47B1e9UWGlcWV5 lG3sIUh6CwRlFxqx6FD5XukUDkt48iLoRSKqXcqi7o9RnQa61dUdLQGjFdhiWnJgqb9jELrKq5jg 8Bgj800FpxRGX2Hj0E/DMy7AmimK/61V2oDalpPe6R5hZwaJMYIDxDCCA8ACAQEwgaswgZYxCzAJ BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx GDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHldDIsyY2vFBlsU+kjQnkQwDQYJYIZI AWUDBAIBBQCgggHpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIy MDIwOTIwMjc0MVowLwYJKoZIhvcNAQkEMSIEIF87qFMhdaFv9DWkY9WE8DiWs/je3WQKVYylHThD BQY6MIG8BgkrBgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+ MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEHldDIsyY2vFBlsU+kjQnkQwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD VQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhB5XQyLMmNrxQZbFPpI0J5EMA0GCSqGSIb3DQEB CwUABIIBAD1FSMxsQfXwYL4CQy8zWu1uW3hkefFpXdSqRSYB68lJUI5+dC+nVIBwXV/OspJfcqQg OuGZrDfHNMZOVzoaTXKnrI3C1qLP+vBw6k3hVMvWrPcf2OMg82Q+tPu9N25C5Hhxt0V1oUg7qCFD /BXyz+D9TA4m1czQG1UDxQOjcIfs/0WzA9LjDB9NZ7gVKBLaJmCsnfvojoj232HqUZbOLEg+CkX5 TZGGSxoiwzCH54YaBUT5kHlrrIZMz4i0UFL/oCyT6nfM77YSkY+snz1qKmEiWSOA9dhTukADZPYP 0oqgKABCZJojVEwAA8znk/dSrMWA23GyVqQqlhlSMgDEgRkAAAAAAAA= --Apple-Mail-92C2C1D7-00A3-4D44-96E0-2ABBF07A7F48--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4776E413-18B8-42D0-AA56-DDF7F376736B>