From owner-freebsd-questions@freebsd.org Mon Feb 17 15:09:17 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9D08823B8ED for ; Mon, 17 Feb 2020 15:09:17 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48LnSr5cBKz4BHC for ; Mon, 17 Feb 2020 15:09:16 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: by mail-qk1-x731.google.com with SMTP id w25so16483016qki.3 for ; Mon, 17 Feb 2020 07:09:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6Uk3VAMDwEsrvIlvWyQwWj6iTbS4gHwLiAvHi9LzSVM=; b=UmwKA8qKAEecW3WS9VziLXjXXjqQvChN7ljXsFbZ51KQjdVBBy8+I9kj/J7GsPmb2A udWMj+BOmaLAh6LeiVfx6ARj4Bcb7fGUnTluUdSxzh6Mt6tgaf9Hx82dSKvBODTaipsn anTGeEX7OfOZ9MiERlw8T+3xRtoGAuHzK9RFxt/pm2qrUNOQFQoLLCPyDzn7z4304wVA dkUsCG0nE3QsD74IqAPs7rrdl5pWemszWABj/DGrd3a9xYi/fbslyVNDckcytIddGqvz 5KRn6nfzbxBc7GqKKgvChUNYR5J3cIxCnMaan60WD2vK9qi3yF5yzTb+my4FZdDq7mGw Q6eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6Uk3VAMDwEsrvIlvWyQwWj6iTbS4gHwLiAvHi9LzSVM=; b=Wpl+pyBJaG91/xvZtQ5Gu5CUbTekuMChaoMVRvxroEwodLBp8IMHJt37pYixLuqSC4 bAoLjW5jhYW/IPS3+ICNaGOSKuolzhAZYa10bzquL6LdLHFrwuMmjy97b8hjFTy3M3Cn ASHAo9RA5VINLEA5tRRqgZKltkIito66XLBv2GmkntGcGT8uUi4luj0JOPW1O+T7qcJg l3Q0y/yDUFx6KePyJzKf3KqyvUI55MsM0193+9gLSSd6tCg5Qj5PqL18eS7fTY+b89Xg bZ8NuYJgSagOrWRQdJ8KzRwxr04iJ1y836h7D5MNG2cHllTC8OVfr7O6HLDdFrehjchX BOuw== X-Gm-Message-State: APjAAAUnSTJOhUiThhNNBcOiUu8CJMPXdqwMfYKs8SW+vgTmKjXfczSk KmwK0IQxpoIOyVgVHezS8X1TacE49Dd5lgEcDt4z X-Google-Smtp-Source: APXvYqyrppbQ1wjY5I8WvBifDdupqt44npUaGzhsVWY7q/Sz9wFxRGO9WfJzFD00nip5GoGLNLrM2sLaOcdijnvjOD8= X-Received: by 2002:a37:a982:: with SMTP id s124mr14253694qke.496.1581952155168; Mon, 17 Feb 2020 07:09:15 -0800 (PST) MIME-Version: 1.0 From: Shamim Shahriar Date: Mon, 17 Feb 2020 15:09:04 +0000 Message-ID: Subject: disabling "weak" algorithms in sshd To: "freebsd-questions@FreeBSD.org" X-Rspamd-Queue-Id: 48LnSr5cBKz4BHC X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=UmwKA8qK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamimshahriar@gmail.com designates 2607:f8b0:4864:20::731 as permitted sender) smtp.mailfrom=shamimshahriar@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(0.00)[ip: (-9.16), ipnet: 2607:f8b0::/32(-1.89), asn: 15169(-1.68), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[1.3.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 15:09:17 -0000 Good afternoon all I had been googling for quite some time and so far came up empty, maybe someone can shed some light or point me to the correct direction. I have introduced a bunch of servers into an infrastructure that previously had zero FreeBSD system. They make use of Tenable Security Centre ( tenable.com) which I believe used Nessus in the backend to identify vulnerabilities. Amongst other things, it is picking up on (tenable/nessus plugin ID 90317) "SSH Weak Algorithms Supported) because the server allows "none" algorithms. Is there any way to "select" or "selectively disable" algorithms and hashes from sshd? According to various web sources, certain implementation on certain distributions might have options to amend the list, but none of the examples I have found worked on my FreeBSD system. Would appreciate if someone could please point me to the correct direction. Kind regards SK