Date: Thu, 10 Feb 2022 14:16:35 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: how to disable support for MD5 in ssh server Message-ID: <CAHu1Y71zJMTFu5W28_bgFqOKKsgMXcR3a%2BTWqVQdp78pt8O90w@mail.gmail.com> In-Reply-To: <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca> References: <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, Feb 9, 2022 at 10:39 AM Dale Scott <dalescott@shaw.ca> wrote: > Hi all, I'm a security novice so I signed up with SecurityScorecard for a > review. > > My scorecard has 3 points subtracted because "The SSH server is configured > to support MD5 algorithm." > > I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include > MD5 in defaults. > > I also don't see MD5 listed in the response to "# sshd -T | grep > "\(ciphers\|macs\|kexalgorithms\)" > I would conclude that SecurityScorecard is bunk, incompetent, a waste of time. sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkeyalgorithms\)" Certainly says what your server is willing to negotiate. Who knows why they came the conclusion they did. [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 9, 2022 at 10:39 AM Dale Scott <<a href="mailto:dalescott@shaw.ca">dalescott@shaw.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all, I'm a security novice so I signed up with SecurityScorecard for a review.<br> <br> My scorecard has 3 points subtracted because "The SSH server is configured to support MD5 algorithm." <br> <br> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD5 in defaults.<br> <br> I also don't see MD5 listed in the response to "# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"<br></blockquote><div><br></div><div> <p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:"Roboto Mono";color:rgb(0,0,0)"><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:"Roboto Mono";color:rgb(0,0,0)"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small">I would conclude that SecurityScorecard is bunk, incompetent, a waste of time. <br></span><br></p><p class="gmail-p1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:"Roboto Mono";margin:0px;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkeyalgorithms\)"</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:"Roboto Mono";color:rgb(0,0,0)"><br class="gmail-Apple-interchange-newline"></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:"Roboto Mono";color:rgb(0,0,0)"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small">Certainly says what your server is willing to negotiate. Who knows why they came the conclusion they did.</span><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:"Roboto Mono";color:rgb(0,0,0)"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"><br></span></p></div> </div></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71zJMTFu5W28_bgFqOKKsgMXcR3a%2BTWqVQdp78pt8O90w>