Bad SSH2 mac spec EC2

Jananath Banuka

7/21/23, 9:54 AM

I am trying to disable any weak ciphers/algorithms in my ec2 instances. And I have added following lines in the /etc/ssh/sshd_config

...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,[email protected],hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[email protected]
...

And when I try to restart the sshd service, it is not re-starting properly. So I did;

sshd -t

And I got the following error:

Bad SSH2 mac spec 'hmac-sha1,[email protected],hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[email protected]'

Can somehelp help me how to fix this?

The sshd version is OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021

294

0 + 0

linux

ssh

Score:0

Server

Bob

7/21/23, 10:14 AM

Support for the RIPE-MD160 HMAC algorithm was removed from OpenSSH in 2017 in the 7.6 release so you might want to check the publication date and how old the source is to support your decision on what algorithms you want to include.

According to the manual man sshd_config the list of available MAC algorithms can be obtained using ssh -Q mac.

Make a selection from those.

The now defunct cypherli.st recommended the following as strong MAC algorithms:

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

and other settings:

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

But you might want to confirm those as well.

0 + 0

Jananath Banuka

7/21/23, 10:20 AM

Is there a way I can identify if my `MACs` or `Ciphers` are weak or strong?

Bob

7/21/23, 10:33 AM

OpenSSH defaults are tuned for compatibility, using settings that are still considered secure for general purposes but they also do not limit clients to use only the "best" cryptographic security. Generally elliptic curves, AES are considered good and longer keys are better than shorter. Cryptography is an ever evolving field of studies and what is considered weak and strong also evolves with research and scientific breakthroughs. That is better discussed at https://security.stackexchange.com/ - Also: https://serverfault.com/help/someone-answers

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Bad SSH2 mac spec EC2

TH: SSH2 mac spec ไม่ดี EC2

RO: Specific SSH2 mac EC2 greșit

RU: Плохая спецификация SSH2 для Mac EC2

VI: Thông số kỹ thuật mac SSH2 không hợp lệ EC2

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.