Notes On Openssh Configuration

Home » CentOS » Notes On Openssh Configuration
CentOS 6 Comments

Hello list,

To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC.

C6 client, C7 server:

debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none

C7 client & server:

debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none

I reported this issue upstream:
https://bugzilla.redhat.com/show_bug.cgi?id17263
https://bugzilla.redhat.com/show_bug.cgi?id17264

You might want to add

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1,hmac-ripemd160-etm@openssh.com,hmac-ripemd160@openssh.com,hmac-ripemd160,umac-128@openssh.com,umac-128-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-96,umac-64-etm@openssh.com,umac-64@openssh.com

to your C7 ssh_config and sshd_config, or

MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,hmac-sha1-96

to your C6 ssh_config and sshd_config.

You might also want to prune your cipher list to exclude RC4 = arcfour ciphers with the option “Ciphers”. Compare http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/

Regards, Leonard.

6 thoughts on - Notes On Openssh Configuration

LEAVE A COMMENT