Mailing List Archive

Validate SSH hardening to address the vulnerabilities
Hi,

I am running openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release
7.9.2009 (Core).

#cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#rpm -qa | grep -i ssh
openssh-clients-7.4p1-21.el7.x86_64
libssh2-1.8.0-4.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
#

I have configured the below SSH configuration as part of hardening to
address vulnerabilities.

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
> ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
> Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
> aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com


Is there a way to validate if the above Key exchange, Cipher and MAC
algorithms address the vulnerabilities? Please guide. Thanks in advance.

Best Regards,

Kaushal
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Validate SSH hardening to address the vulnerabilities [ In reply to ]
On Tue, 2021-05-25 at 18:04 +0530, Kaushal Shriyan wrote:
> Is there a way to validate if the above Key exchange, Cipher and MAC
> algorithms address the vulnerabilities?

For a command-line tool, see ssh-audit:
https://github.com/jtesta/ssh-audit

For a web front-end that gives prettier results (and references):
https://www.ssh-audit.com/

- Joe


--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev