SSHD HMAC Configuration
The man page says so. Why don't you just try it out ? Setup a SSH server somewhere, with that configuration, and connect to it from another machine with ssh -vv
: the debug log will show the list of MAC algorithms advertised as supported by the server.
(I read your last sentence as: "I know this is stupid but I don't want to discuss it", which I further interpret as "I am looking for the fastest way to shut some dumb auditors up".)
Related videos on Youtube
John
Just a random person looking for ways to expand my knowledge and passion for technology.
Updated on September 18, 2022Comments
-
John almost 2 years
I have read and understand the posting from here, https://security.stackexchange.com/questions/39756/secure-configuration-of-ciphers-macs-kex-available-in-ssh. However, I would like to know what the
/etc/sshd_config
configuration would look like should I want to accomplish the following goals:- Disable any 96-bit HMAC Algorithms
- Disable any MD5-based HMAC Algorithms
Would it be the following?
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-ripemd160
Note that this question is looking for the configuration setting(s) needed; and not reasons, rationale, or discussion of why this may or may not be a good idea.
-
John over 10 yearsyes, this is due to some audits being performed where the network based vulnerability scanner is showing vulnerabilities for "SSH Insecure HMAC Algorithms Enabled." I am looking for a configuration that will satisfy their scans.
-
pdu over 9 yearsSounds like nessus. I was just playing around with this, thanks for that!
-
Smithers over 9 yearsman pages are most useful to those who already know how it works (it being whatever the man page is about)... so the "RTFM" portion of the answer isn't terribly helpful.