Symptoms
PCI scanners will report a failure similar to the below:
"SSH data integrity is protected by including with each packet a MAC that is computed from a shared secret, packet sequence number, and the contents of the packet. The algorithms supported by this SSH service use cryptographically weak hashing (MAC) algorithms for data integrity."
Description
When reviewing a PCI scan, one of the common issues is that the SSHD supports weak hashing algorithms. More often than not, this issue can occur when a server is using the default SSHD settings. Modifications to the SSHD configuration will resolve this issue.
Solution
For the Macs, Ciphers, and Algorithms, the below SSHD edits will be sufficient. The PCI scan concern is to disable the below insecure hashing algorithms:
Mac hmac-sha1, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
The steps to accomplish the task:
Note: Login to SSH, CLI, or terminal as root is required to edit the SSHD configuration file.
- Edit the SSHD configuration file "/etc/ssh/sshd_config" to add below lines:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- Restart SSHD:
/scripts/restartsrv_sshd
- Now retest to confirm the algorithms in question have been disabled successfully with SSHD commands.
Command to test available "KexAlgorithms" in SSHD:
sshd -T |grep ^kexalgorithmsCommand to test available "MACs" in SSHD:
sshd -T |grep ^macsCommand to test available "Ciphers" in SSHD:
sshd -T |grep ^ciphers
That's it! After confirming the hashing algorithms are secure, the PCI vendor will need to perform a new scan.