Re: how to disable support for MD5 in ssh server

The report was bunk (or at least the part that alarmed me). After following a few rabbit holes I finally realized most of the issues were coming from a dot com TLD with the same domain name that had been included in my scorecard. I'm assuming SecurityScorecard 's analytics defaults to assuming anyone who cares probably owns all the common TLDs variants for their domain name. I challenged the relevent issues and they are being removed from my scorecard. 

However I don't consider this exercise as a total waste of time. They found a VNC service I had forgotten I enabled (a VirtualBox vm console), they confirmed I hadn't done anything else stupid, and, after wading through the noise, I now know twice as much about my server as I did before. ;-) 

Thanks everyone for your help. 

> From: "Michael Sierchio" <kudzu@tenebras.com>
> To: "freebsd-questions" <freebsd-questions@freebsd.org>
> Sent: Thursday, February 10, 2022 3:16:35 PM
> Subject: Re: how to disable support for MD5 in ssh server

> On Wed, Feb 9, 2022 at 10:39 AM Dale Scott < [ mailto:dalescott@shaw.ca |
> dalescott@shaw.ca ] > wrote:

>> Hi all, I'm a security novice so I signed up with SecurityScorecard for a
>> review.

>> My scorecard has 3 points subtracted because "The SSH server is configured to
>> support MD5 algorithm."

>> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD5 in
>> defaults.

>> I also don't see MD5 listed in the response to "# sshd -T | grep
>> "\(ciphers\|macs\|kexalgorithms\)"

> I would conclude that SecurityScorecard is bunk, incompetent, a waste of time.

> sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkeyalgorithms\)"

> Certainly says what your server is willing to negotiate. Who knows why they came
> the conclusion they did.