From nobody Wed Feb 9 22:28:41 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 84CE719ADDA1 for ; Wed, 9 Feb 2022 22:28:43 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JvF0B5L7Fz3h1F for ; Wed, 9 Feb 2022 22:28:42 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTP id HmN1nxpGp5Rf1HvS6nmleK; Wed, 09 Feb 2022 22:28:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=shaw.ca; s=s20180605; t=1644445722; bh=3DvbeMMOt1wi04bYETpXlQV3A1TmCfXJ+bi/s52Qcmk=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=JxrbfgT3Ji/qgesMmddcCvOfB4v44CYtjHie+bN/s/gj4NNJcOO6CcUBAQRagK6it pDSVvRSIiqizDsu3EaEsVk7KsXMyJyugw+t0VDb7tzugglb+IhvNIX/06ttE6V0dOM Wtl9BdKRcpfTmrP6PTY7icgIQW5AJ28tni++bwD9y304KpcYD2VdmW87DZWq5b1VAQ mLzzJwB1P2u8sC3rXmpNYcpaiQaRycHBRmFjzGxh8SA00bii690KfVn9EgAUbtRocN 4BFPFWaXuK6j3rEhk02pV+9cM8vnfcRbxWK2E+y0b/QB6WqdTB9vBBSFCGuKFXQU1C twMGUbzHsVnqw== Received: from cds220.dcs.int.inet ([64.59.134.6]) by cmsmtp with ESMTP id HvS5n4YF8a4s1HvS5nK3LI; Wed, 09 Feb 2022 22:28:41 +0000 X-Authority-Analysis: v=2.4 cv=S9vKfagP c=1 sm=1 tr=0 ts=62044019 a=9zdlX7M534QhL7mOrorEvQ==:117 a=FKkrIqjQGGEA:10 a=on0NmgUIp3IA:10 a=IkcTkHD0fZMA:10 a=-5WMeQcgAAAA:8 a=_Dj-zB-qAAAA:8 a=6I5d2MoRAAAA:8 a=wlEq2QQ7HVRnaa2PlDYA:9 a=QEXdDO2ut3YA:10 a=dqhHHgqGWK6PZCAJIYkV:22 a=c-cOe7UV8MviEfHuAVEQ:22 a=IjZwj45LgO3ly-622nXo:22 Date: Wed, 9 Feb 2022 15:28:41 -0700 (MST) From: Dale Scott To: Jon Radel Cc: freebsd-questions Message-ID: <1365403251.570153055.1644445721383.JavaMail.zimbra@shaw.ca> In-Reply-To: <9ABC5361-1C6A-45FB-9EC9-703DA1E85D6C@radel.com> References: <4776E413-18B8-42D0-AA56-DDF7F376736B@radel.com> <9ABC5361-1C6A-45FB-9EC9-703DA1E85D6C@radel.com> Subject: Re: how to disable support for MD5 in ssh server List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [162.223.103.50, 162.223.103.50] X-Mailer: Zimbra 8.8.15_GA_4125 (ZimbraWebClient - GC98 (Win)/8.8.15_GA_4059) Thread-Topic: how to disable support for MD5 in ssh server Thread-Index: vo9Och6EhOqCAPfmDfxOLDvwSyjW6g== X-CMAE-Envelope: MS4xfJNmHROJmD6Vfqh0DYV3kI9iC65XikHlovW1fasq/7QtjotGXOvH42BYuN2BaofbNKr6FQ3QdyX4PVEkZphJS1TmyKrYasMqZ9D4s+UBMrklS6usuj6j UVqIa41hDZIRb0CpMz55JneU9wtqt8lYpKr3+2uu94D7lToMojH43hflfWJcCRl3X7wfc1QxDKMAvUQ5xLflQn++hNcYHo+txTUJ4iV/QhbwC179i7BxMuS+ X-Rspamd-Queue-Id: 4JvF0B5L7Fz3h1F X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=shaw.ca header.s=s20180605 header.b=JxrbfgT3; dmarc=pass (policy=none) header.from=shaw.ca; spf=pass (mx1.freebsd.org: domain of dalescott@shaw.ca designates 3.97.99.32 as permitted sender) smtp.mailfrom=dalescott@shaw.ca X-Spamd-Result: default: False [-4.70 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[shaw.ca:s=s20180605]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[3.97.99.32:from]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[shaw.ca:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[shaw.ca,none]; RCVD_IN_DNSWL_MED(-0.20)[3.97.99.32:from]; MLMMJ_DEST(0.00)[freebsd-questions]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[shaw.ca:dkim] X-ThisMailContainsUnwantedMimeParts: N > From: "Jon Radel" > To: "Dale Scott (dalescott@shaw)" > Cc: "freebsd-questions" > Sent: Wednesday, February 9, 2022 2:12:20 PM > Subject: Re: how to disable support for MD5 in ssh server > The dreaded follow up to my own response: >=20 > If you do try ssh-audit, run it with -v. md5 hashes can also be used with= server > fingerprints. That=E2=80=99s only reported in verbose mode. >=20 > I=E2=80=99m unclear if you can turn off md5 completely for that, though F= ingerprintHash > seems to control whether they=E2=80=99re paid attention to. Thanks Jon for the suggestions, I'll give ssh-audit a try. I'll also check if I can get more specific information from SecurityScorecard. I found they= have a bot that responds if you question a reported security issue with details wh= y they believe it's an issue (they say they will escalate to a real person if you = persist). Having fun! ;-) Dale