Skip to main content

Howdy!



Here is a worklet to detect and disable weak and vulnerable algorithms in the sshd service. These algorithms are usually kept enabled for compatibility reasons but they’re usually safe to disable if your users have updated systems.



Here is a good write-up on known weak and vulnerable algorithms.



Evaluation:



#!/bin/bash



sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)" | grep "\(sha1\|rc4|arcfour|md5|blowfish|idea|3des|cast128|cbc\)"



# return 0 if value exists; return non-zero if value does not exist

> $? -eq 0 ]] && exit 1



exit 0



Remediation:



#!/bin/bash



# Add a definitive list of ciphers to the sshd config. This list was tested to work on a fresh install of Ubuntu 18.04

cat >> /etc/ssh/sshd_config <<EOL

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

EOL



#restart the network services

service sshd restart

hi long time but I wanted to ask if this worklet will work on MAC books with OSX 14 Sonoma by any chnce


Reply