Disable weak Hash-based message authentication codes HMACs in SSH services

View Categories

Disable weak Hash-based message authentication codes HMACs in SSH services

2 min read

What are HMACs #

HMACs, or Hash-based Message Authentication Codes, are cryptographic constructs that use a secret key and a hash function to verify the integrity and authenticity of data or messages. HMACs provide a way to ensure that data hasn’t been tampered with during transmission and that it originates from a trusted source. They involve combining the data with a secret key, hashing the result, and then comparing it to a reference HMAC at the recipient’s end, offering a secure method to confirm data validity in various applications, including secure communication and authentication systems.

In SSH (Secure Shell) services like SSHd (SSH daemon), HMACs are employed to enhance the security of the communication between a client and server. During the SSH key exchange process, the server and client negotiate on a set of cryptographic algorithms, including the HMAC algorithm, to be used for data integrity verification. The chosen HMAC algorithm, combined with a shared secret key, is used to generate HMAC tags for outgoing packets and verify the integrity of incoming packets. This ensures that the data exchanged between the client and server has not been altered during transmission, safeguarding against tampering and ensuring the authenticity of the communication, a vital aspect of SSH’s security model.

Disable weak ciphers in SSHD #

To enhance the security of SSHd service, you may need to modify SSH’s cipher, MAC, and key algorithms to ensure that no MD5 or 96-bit HMAC are being used (hmac-md5 hmac-md5-96 hmac-sha1-96). Please proceed with the following steps.

Check Existing SSHd Configuration #

Examine the current SSH configuration to identify the allowed ciphers, MACs, and key algorithms. Use the following command to gather this information:

root@noid-ee-01:~# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Edit SSHD Configuration #

To improve security, consider disabling weaker ciphers and MACs. Use a text editor (like nano or vi) to edit the SSHD configuration file (located at /etc/ssh/sshd_config). Remove the ciphers and MACs you don’t want to allow and save the file. If the configuration doesn’t exist, add new lines at the end of the file.

ciphers aes128-ctr,aes192-ctr,aes256-ctr
macs hmac-sha1,hmac-sha2-256,hmac-sha2-512

Restart the SSHD Service #

After making changes, restart the SSHD service to apply the new configuration.

root@noid-ee-01:~# systemctl restart sshd

Check the new configuration #

Verify the updated configuration using the same command as before.

root@nid-ee-01:~# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
ciphers aes128-ctr,aes192-ctr,aes256-ctr
macs hmac-sha1,hmac-sha2-256,hmac-sha2-512
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

These steps help strengthen SSH security by configuring SSH to use more secure cipher suites and MACs while disabling weaker options, enhancing the overall security of the SSHd service. Be aware that altering these settings might impact compatibility with older or less secure SSH clients, so ensure that your changes align with your specific security requirements.

SHARE ON:

Powered by BetterDocs