Score:0

Bad SSH2 mac spec EC2

cn flag

I am trying to disable any weak ciphers/algorithms in my ec2 instances. And I have added following lines in the /etc/ssh/sshd_config

...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,[email protected],hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[email protected]
...

And when I try to restart the sshd service, it is not re-starting properly. So I did;

sshd -t

And I got the following error:

Bad SSH2 mac spec 'hmac-sha1,[email protected],hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,[email protected]'

Can somehelp help me how to fix this?

The sshd version is OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021

Score:0
cn flag
Bob

Support for the RIPE-MD160 HMAC algorithm was removed from OpenSSH in 2017 in the 7.6 release so you might want to check the publication date and how old the source is to support your decision on what algorithms you want to include.

According to the manual man sshd_config the list of available MAC algorithms can be obtained using ssh -Q mac.

Make a selection from those.

The now defunct cypherli.st recommended the following as strong MAC algorithms:

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

and other settings:

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

But you might want to confirm those as well.

Jananath Banuka avatar
cn flag
Is there a way I can identify if my `MACs` or `Ciphers` are weak or strong?
cn flag
Bob
OpenSSH defaults are tuned for compatibility, using settings that are still considered secure for general purposes but they also do not limit clients to use only the "best" cryptographic security. Generally elliptic curves, AES are considered good and longer keys are better than shorter. Cryptography is an ever evolving field of studies and what is considered weak and strong also evolves with research and scientific breakthroughs. That is better discussed at https://security.stackexchange.com/ - Also: https://serverfault.com/help/someone-answers
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.