Re: how to disable support for MD5 in ssh server

The dreaded follow up to my own response:  

If you do try ssh-audit, run it with -v. md5 hashes can also be used with server fingerprints.  That’s only reported in verbose mode.  

I’m unclear if you can turn off md5 completely for that, though FingerprintHash seems to control whether they’re paid attention to. 

Have fun!

--Jon Radel
jon@radel.com

> On Feb 9, 2022, at 3:29 PM, Jon Radel <jon@radel.com> wrote:
> 
> It would be in the macs, not ciphers.  Not that that changes the fact that it’s been some time since any of the default macs used md5. 
> 
> You might get a second opinion on what’s happening using a tool such as jtesta/ssh-audit on GitHub. 
> 
> And I’d be tempted to explicitly set the macs to what the man page said they’re supposed to be. It’s not completely unknown for a man page and program to get out of sync. 
> 
> --Jon Radel
> jon@radel.com
> 
>> On Feb 9, 2022, at 1:40 PM, Dale Scott <dalescott@shaw.ca> wrote:
>> 
>> Hi all, I'm a security novice so I signed up with SecurityScorecard for a review.
>> 
>> My scorecard has 3 points subtracted because "The SSH server is configured to support MD5 algorithm." 
>> 
>> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD5 in defaults.
>> 
>> I also don't see MD5 listed in the response to "# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
>> 
>> The only edit I have made to the default /etc/ssh/sshd_config was to disable password login (to allow ssh only).
>> 
>> What am I not understanding? Google hasn't been much help, although I expect I haven't been asking the right question.
>> 
>> Should I disable MD5 as recommended, and how?
>> 
>> 
>> % uname -a
>> FreeBSD starlord 13.0-RELEASE-p7 FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 18:24:03 UTC 2022     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
>> 
>> Many thanks in advance,
>> Dale
>> 
>> P.S. 
>> 
>> 
>>