我们有一个安全建议,建议在 sshd_config 中禁用弱 MAC。
我可以用这一行禁用大部分(基于新的- 句法从 Debian 10 开始可用):
MACs -*md5*,*sha1,*sha1-*,*-64,*-96,*64-etm
但是,我不知怎的未能禁用[email protected]和[email protected]。
...即使我将这些明确添加到排除列表中:
MACs -*md5*,*sha1,*sha1-*,*-64,*-96,*64-etm,[email protected],[email protected]
ssh -Q mac
> hmac-sha1
> hmac-sha1-96
> hmac-sha2-256
> hmac-sha2-512
> hmac-md5
> hmac-md5-96
> [email protected] <-- this
> [email protected]
> [email protected]
> [email protected]
> [email protected]
> [email protected]
> [email protected]
> [email protected]
> [email protected] <-- and this
> [email protected]
另外,sshd -T打印我的整个 ssh 配置,并且有问题的两个 MAC 没有显示在那里:
[...]
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
macs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512
[...]
什么是 ging?