Date: Wed, 9 Feb 2022 16:12:20 -0500 From: Jon Radel <jon@radel.com> To: Dale Scott <dalescott@shaw.ca> Cc: freebsd-questions@freebsd.org Subject: Re: how to disable support for MD5 in ssh server Message-ID: <9ABC5361-1C6A-45FB-9EC9-703DA1E85D6C@radel.com> In-Reply-To: <4776E413-18B8-42D0-AA56-DDF7F376736B@radel.com> References: <4776E413-18B8-42D0-AA56-DDF7F376736B@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-D23362A9-EB14-4414-B3A1-60B869B84F7C Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable The dreaded follow up to my own response: =20 If you do try ssh-audit, run it with -v. md5 hashes can also be used with se= rver fingerprints. That=E2=80=99s only reported in verbose mode. =20 I=E2=80=99m unclear if you can turn off md5 completely for that, though Fing= erprintHash seems to control whether they=E2=80=99re paid attention to.=20 Have fun! --Jon Radel jon@radel.com > On Feb 9, 2022, at 3:29 PM, Jon Radel <jon@radel.com> wrote: >=20 > =EF=BB=BFIt would be in the macs, not ciphers. Not that that changes the f= act that it=E2=80=99s been some time since any of the default macs used md5.= =20 >=20 > You might get a second opinion on what=E2=80=99s happening using a tool su= ch as jtesta/ssh-audit on GitHub.=20 >=20 > And I=E2=80=99d be tempted to explicitly set the macs to what the man page= said they=E2=80=99re supposed to be. It=E2=80=99s not completely unknown fo= r a man page and program to get out of sync.=20 >=20 > --Jon Radel > jon@radel.com >=20 >> On Feb 9, 2022, at 1:40 PM, Dale Scott <dalescott@shaw.ca> wrote: >>=20 >> =EF=BB=BFHi all, I'm a security novice so I signed up with SecurityScorec= ard for a review. >>=20 >> My scorecard has 3 points subtracted because "The SSH server is configure= d to support MD5 algorithm."=20 >>=20 >> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include M= D5 in defaults. >>=20 >> I also don't see MD5 listed in the response to "# sshd -T | grep "\(ciphe= rs\|macs\|kexalgorithms\)" >>=20 >> The only edit I have made to the default /etc/ssh/sshd_config was to disa= ble password login (to allow ssh only). >>=20 >> What am I not understanding? Google hasn't been much help, although I exp= ect I haven't been asking the right question. >>=20 >> Should I disable MD5 as recommended, and how? >>=20 >>=20 >> % uname -a >> FreeBSD starlord 13.0-RELEASE-p7 FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 1= 8:24:03 UTC 2022 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd= 64.amd64/sys/GENERIC amd64 >>=20 >> Many thanks in advance, >> Dale >>=20 >> P.S.=20 >>=20 >>=20 >>=20 --Apple-Mail-D23362A9-EB14-4414-B3A1-60B869B84F7C Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBQsw ggUHMIID76ADAgECAhB5XQyLMmNrxQZbFPpI0J5EMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD VQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTIxMDMwMTAwMDAwMFoXDTI0MDIyOTIzNTk1 OVowHjEcMBoGCSqGSIb3DQEJARYNam9uQHJhZGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBANfZ5xF1DnwwfsRmizR7hi6H8jSNJVzYB5DvMoOyDTsk2itmWaDNsrwsgvfIu9ki M6bluirq15ENIeovazDM90XvsDHvyb2Dc5dwirCskq+FDVOeoOJmeEkPG9ZQjkjbOvLDlTb0ttNV lHZkHfVRfpvHrnK7ChaDFlzhZJkm50Bfceh+j6FVnW41Bkt8l35GWnQmB0h8IaDa0BdEt74xahd5 dyGXhPZ+VIZE1eFnPgJQ/Q0p0p/dVoIru3KmcQaaGsnC86CgPMhkCGMK4CRcyUxCbkTiQWXjALl6 salNEHUmgcDUPxlCrxNsPQDesyeopBmILIJ1YZresQBMf1n/OXUCAwEAAaOCAcYwggHCMB8GA1Ud IwQYMBaAFAnA8vwL2pTbX/4r36iZQs/J4K0AMB0GA1UdDgQWBBS0K1Ke3seqYfUib4TO/HMXt+sW 8TAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYB BQUHAwIwQAYDVR0gBDkwNzA1BgwrBgEEAbIxAQIBAQEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9z ZWN0aWdvLmNvbS9DUFMwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T ZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBigYIKwYB BQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FD bGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRw Oi8vb2NzcC5zZWN0aWdvLmNvbTAYBgNVHREEETAPgQ1qb25AcmFkZWwuY29tMA0GCSqGSIb3DQEB CwUAA4IBAQAv6HwEExfiqgIM0g2RrZhHXOqxDnnfjxf4Dv6+GruTySmeaZyq9mDQ65a9jTPNvGlS 0gssCsPp7A0K+UFa7QhqVnk42PguHRsJ3BKjoW2dh2dcGNl/S1Lc6+32xpPB9d++YZ4u30MQshoj 6c5w6wt9OBVs6qdUG3+Vv9NEq1ZON07WNs61NGrcCThFloktL12eAhqmZuoyHJ47B1e9UWGlcWV5 lG3sIUh6CwRlFxqx6FD5XukUDkt48iLoRSKqXcqi7o9RnQa61dUdLQGjFdhiWnJgqb9jELrKq5jg 8Bgj800FpxRGX2Hj0E/DMy7AmimK/61V2oDalpPe6R5hZwaJMYIDxDCCA8ACAQEwgaswgZYxCzAJ BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx GDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHldDIsyY2vFBlsU+kjQnkQwDQYJYIZI AWUDBAIBBQCgggHpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIy MDIwOTIxMTIyMFowLwYJKoZIhvcNAQkEMSIEIKLJVbXEzlFCGiVD5GxumSMnSqSZTLvBzaH1/b8t yS7bMIG8BgkrBgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+ MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEHldDIsyY2vFBlsU+kjQnkQwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGWMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD VQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhB5XQyLMmNrxQZbFPpI0J5EMA0GCSqGSIb3DQEB CwUABIIBAA7nk4zZh2k7KNYdZJABFGBRUV+xapuBtotHCMK3C36gLxgL6vJLK1SNZK3zip9QBQI3 tsLvQxQUWJEdNW7GlTkV10JFmI/TgGf8miefo/2BUXC+rcQ9mSZ7SA3VgGa1HNQo6/WG7qwA3Fc6 lvXnbHOuXEkt5Jo1BkWdQJEB36p72SSo7SRnu3hVl4PVyrzsMx9/b5QJvfGUf1fWbsrbXo1CRo6s y61kmOM1VlvxSvtJwwpkHnVelIUKHF14jLzk9T93W+Ol2fcPldAuTyAC0rXa9r1H1Yb3dlK8i2A+ FclZo+8+OCemWQcgwnyBK4a6XWnYNaef1lf5XhSBOhyXMc8AAAAAAAA= --Apple-Mail-D23362A9-EB14-4414-B3A1-60B869B84F7C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9ABC5361-1C6A-45FB-9EC9-703DA1E85D6C>