sshopensshubuntu-22.04

Ubuntu 22 Disable SSH Weak Message Authentication Code Algorithms


I have installed latest Ubuntu 22.04.2 version, but after performing the security assessment our security team found following ssh vulnerability. What changes do we need to make to fix this vulnerability?

Vulnerability_Risk Detail:

SSH Weak Message Authentication Code Algorithms

Summary:

The SSH server supports cryptographically weak Hash-based message authentication codes (HMACs) including MD5 or 96-bit Hash-based algorithms.

Remediation:

Disable any MD5 or 96-bit HMAC algorithms within the SSH configurationConsult the product documentation for instructions to disable any insecure MD5 or 96-bit HMAC algorithms within the SSH configuration.

I tried the following config changes, but still can see both weak algorithms ( umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1):

Here are the changes I made in the sshd_config file.

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Solution

  • Here's what I did when removing insecure macs after a security audit identified them as a risk. Answering here since it was the first result I found when searching for how to do this myself. I think moving it to AskUbuntu or serverfault or superuser would make sense.

    First, I did some background reading. this doc on Ubuntu ssh config and this doc on openssh crypto config were helpful. One big note: you can lock yourself out if you do this wrong, so after all the steps below be sure you try connecting to the server again and are able to get in before you disconnect from the session where you are configuring sshd.

    For the actual configuration process. I started by confirming I was seeing the weak algorithms by connecting with verbosity turned all the way up.

    ssh -vvv gknaddison@servername and confirmed I could see the weak MACs at the start:

    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    

    Then I added file in /etc/ssh/sshd_config.d/60-remove-insecure-mac.conf with the contents:

    MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1
    

    And then I restarted the sshd: service sshd restart

    And then I did the ssh -vvv to confirm the weak macs were gone.

    debug2: MACs stoc: umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
    

    I then reached out to everyone who connects to the server and let them know about the change so they will understand what's going wrong if they try to connect and fail or observe an automated job that's failing to connect.