我从漏洞扫描软件中收到此标志/消息
The following weak key exchange algorithms are enabled :
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
我想禁用这两种算法。
我查询了 sshd_config……
[root@vm01 ~]# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
macs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
kexalgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
[root@vm01 ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
[root@vm01 ~]# sshd -T | grep kex
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
kexalgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp25
从输出中可以看出,客户端可以使用这些算法。 sshd_config 中没有提及有问题的算法,即使在以下Ciphers部分中也没有提及:
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
任何帮助均感激不尽。
注意我使用的是 OpenSSH 7.4
sshd_配置
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,-diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
答案1
据我所知,OpenSHH 确实支持禁用特定的密钥交换算法或密码(它们实际上是两件不同的事情),通过在要禁用的算法列表前面加上连字符/减号-,尽管更常见的是明确设置你想要允许的内容。
看:https://man.openbsd.org/sshd_config#KexAlgorithms
如果当前未设置 KexAlgorithms,则您的服务器正在使用默认设置。您可以保留默认设置,并使用以下命令禁用这两个有问题的弱密钥交换算法:
# sshd_config
...
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
或者您可以设置更明确的强设置,例如(这可能会破坏与旧客户端的向后兼容性):
# sshd_config
...
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
答案2
在运行“ssh -Q Kex”时,我遇到了有关“弱密钥交换算法”的相同问题:
[root@ ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
我的 ssh 版本是:
[root@ ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
所以我不能使用'-',尝试在 sshd_config 中添加一行:
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
systemctl restart sshd 并运行ssh -Q kex,系统仍然响应:
[root@l ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
想知道我的配置哪一部分有错误或者我遗漏了什么,谢谢。