Hello,
I am using OpenBSD when teaching Unix operating system on University of
Ostrava. I have been asked by IT staff to remove hmac-sha1 from OpenSSH
on two servers with OpenBSD 7.8 amd64.
Servers reported
mac_algorithms: (10)
umac-64-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1
I added to sshd_config
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
and got
mac_algorithms: (4)
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-256
I have two questions, please.
1) What are your recommended safe mac_algorithms?
2) Why the default installation have enabled mac_algorithm hmac-sha1,
which the vulnerability scan tool reports as week?
Best regards,
Jiří Navrátil
--
Jiri Navratil, https://openbsd.navratil.info, +420 777 224 245
No comments:
Post a Comment