Re: how to disable support for MD5 in ssh server

From: Jon Radel <jon_at_radel.com>
Date: Wed, 09 Feb 2022 20:27:41 UTC
It would be in the macs, not ciphers.  Not that that changes the fact that it’s been some time since any of the default macs used md5. 

You might get a second opinion on what’s happening using a tool such as jtesta/ssh-audit on GitHub. 

And I’d be tempted to explicitly set the macs to what the man page said they’re supposed to be. It’s not completely unknown for a man page and program to get out of sync. 

--Jon Radel
jon@radel.com

> On Feb 9, 2022, at 1:40 PM, Dale Scott <dalescott@shaw.ca> wrote:
> 
> Hi all, I'm a security novice so I signed up with SecurityScorecard for a review.
> 
> My scorecard has 3 points subtracted because "The SSH server is configured to support MD5 algorithm." 
> 
> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD5 in defaults.
> 
> I also don't see MD5 listed in the response to "# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
> 
> The only edit I have made to the default /etc/ssh/sshd_config was to disable password login (to allow ssh only).
> 
> What am I not understanding? Google hasn't been much help, although I expect I haven't been asking the right question.
> 
> Should I disable MD5 as recommended, and how?
> 
> 
> % uname -a
> FreeBSD starlord 13.0-RELEASE-p7 FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 18:24:03 UTC 2022     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
> 
> Many thanks in advance,
> Dale
> 
> P.S. 
> 
> 
>