Scribd Logo
Upload

Welcome to Scribd!

  • How To Disable 96-Bit HMAC Algorithms and MD5-based HMAC Algorithms On Solaris SSHD

    Uploaded by

    Jish fin
    11 views2 pages

    Original Title

    How To Disable 96-bit HMAC Algorithms And MD5-based HMAC Algorithms On Solaris sshd

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    11 views2 pages

    How To Disable 96-Bit HMAC Algorithms and MD5-based HMAC Algorithms On Solaris SSHD

    Uploaded by

    Jish fin

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    2/10/2021 Document 1682164.

    1
    Copyright (c) 2021, Oracle. All rights reserved. Oracle Confidential.

    How To Disable 96-bit HMAC Algorithms And MD5-based HMAC Algorithms On Solaris sshd
    (Doc ID 1682164.1)

    In this Document

    Symptoms
    Cause
    Solution
    References

    APPLIES TO:

    Solaris Operating System - Version 10 3/05 HW2 to 11.4 [Release 10.0 to 11.0]
    Information in this document applies to any platform.

    SYMPTOMS

    The security scanner reported following vulnerabilities on Solaris regarding SunSSH sshd (secure shell daemon):

    Vulnerability Info for Vuln_id= 78685


    App Id 59
    Application SSH
    Vuln Name SSH Insecure HMAC Algorithms Enabled
    Vuln Score 131
    Advisories
    nCircle CVSS Base Score: 4.0
    Risk Remote Access
    Skill No Known Exploit
    Strategy Data-Driven Attack
    Description
    DESCRIPTION :

    Insecure HMAC Algorithms are enabled

    SOLUTION:

    Disable any 96-bit HMAC Algorithms.


    Disable any MD5-based HMAC Algorithms.

    CAUSE

    96-bit HMAC and MD5-based HMAC algorithms are being used by the current SSH.

    SOLUTION

    Use "man sshd_config" to verify the default MAC used by current SSH:

    Example:

    # man sshd_config

    https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=92x165rpu_21&id=1682164.1 1/2
    2/10/2021 Document 1682164.1

    MACs
    Specifies the available MAC (message authentication
    code) algorithms. The MAC algorithm is used in protocol
    version 2 for data integrity protection. Multiple algo-
    rithms must be comma-separated. The default is hmac-
    md5,hmac-sha1,hmac-sha1-96,hmac-md5-96, hmac-sha2-256,
    hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96.

    You need a statement in /etc/ssh/sshd_config like the following:

    Macs hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96

    Above line of MACs omits hmac-md5, hmac-sha1-96, hmac-md5-96 algorithms.

    After changing /etc/ssh/sshd_config restart the service:

    # svcadm restart ssh

    REFERENCES

    NOTE:2086158.1 - How to Check which SSH Ciphers and HMAC Algorithms are in use
    Didn't find what you are looking for?

    https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=92x165rpu_21&id=1682164.1 2/2

    You might also like