Come disabilitare gli algoritmi HMAC basati su MD5 per SSH

Questo è un breve post su come disabilitare gli algoritmi HMAC basati su MD5 per ssh su Linux.

1. Assicurati di aver aggiornato il pacchetto openssh all'ultima versione disponibile.

2. Per modificare i cifrari/md5 in uso è necessario modificare il file sshd_config, puoi aggiungere Ciphers e MAC con le opzioni come da pagina man. Ad esempio:

# vi /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

Dalla pagina man di sshd_config:

# man sshd_config

     Ciphers
             Specifies the ciphers allowed for protocol version 2.  Multiple ciphers must be comma-separated.  The supported ciphers are
             “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”,
             “arcfour”, “blowfish-cbc”, “rijndael-cbc@lysator.liu.se”, and “cast128-cbc”.  The default is:

                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

     MACs    Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used in protocol version 2 for data
             integrity protection.  Multiple algorithms must be comma-separated.  The default is:

                   hmac-md5,hmac-sha1,umac-64@openssh.com,
                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

3. Riavvia il servizio sshd.

# service sshd restart       ### For CentOS/RHEL 6
# systemctl restart sshd     ### For CentOS/RHEL 7