PCI scanners will report a failure similar to the below:
"SSH data integrity is protected by including with each packet a MAC that is computed from a shared secret, packet sequence number, and the contents of the packet. The algorithms supported by this SSH service use cryptographically weak hashing (MAC) algorithms for data integrity."
When reviewing a PCI scan, one of the common issues is that the SSHD supports weak hashing algorithms. More often than not, this issue can occur when a server is using the default SSHD settings. Modifications to the SSHD configuration will resolve this issue.
For the Macs, Ciphers, and Algorithms, the below SSHD edits will be sufficient. The PCI scan concern is to disable the below insecure hashing algorithms:
Mac hmac-sha1, email@example.com, firstname.lastname@example.org
The steps to accomplish the task:
Note: Login to SSH, CLI, or terminal as root is required to edit the SSHD configuration file.
- Edit the SSHD configuration file "/etc/ssh/sshd_config" to add below lines:
KexAlgorithms email@example.com,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr MACs email@example.com,firstname.lastname@example.org,email@example.com,hmac-sha2-512,hmac-sha2-256,firstname.lastname@example.org
- Restart SSHD:
- Now retest to confirm the algorithms in question have been disabled successfully with SSHD commands.
Command to test available "KexAlgorithms" in SSHD:
sshd -T |grep ^kexalgorithmsCommand to test available "MACs" in SSHD:
sshd -T |grep ^macsCommand to test available "Ciphers" in SSHD:
sshd -T |grep ^ciphers
That's it! After confirming the hashing algorithms are secure, the PCI vendor will need to perform a new scan.