如何解決 SSH Server 使用了不安全的加密演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160
弱點掃瞄
弱點 1: SSH Supports Weak Cipher
The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.
- Severity: Medium
- Risk: A weak cipher has been detected.
- Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.
弱點 2: SSH Supports Weak MAC
The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.
- Severity: Medium
- Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
- Recommendation: Configure the SSH server to disable the use of MD5.
解決方法
說明
2022 年,SSH 通訊協定被列為不安全的加密演算法有 ARCFOUR(RC4)、CBC、HMAC-MD5、HMAC-RIPEMD160,以及他們所衍生的其它演算法。
加密演算法與 SSH 中的 Ciphers 與 MACs 的功能選項有關:
- Ciphers: 密碼編碼、演算法
- MACs: 訊息鑑別碼 (Message Authentication Code)
簡單來說,只要修改設定檔,關閉這些不安全的演算法即可。
執行步驟
1. 我的 Linux Server 是 CentOS,首先於 Server 查看 sshd_config 說明文件,找到關於 Ciphers 與 MACs 所支援的演算法與預設值。
$ man sshd_config
以下列出我在幾台 Server 中,找到的 4 個不同版本的 opnessh 說明文件內容:
[openssh-7.4p1-22]
Ciphers Specifies the ciphers allowed. Multiple ciphers must be comma- separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. The supported ciphers are: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr [email protected] [email protected] arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The default is: [email protected], aes128-ctr,aes192-ctr,aes256-ctr, [email protected],[email protected], aes128-cbc,aes192-cbc,aes256-cbc, blowfish-cbc,cast128-cbc,3des-cbc The list of available ciphers may also be obtained using "ssh -Q cipher". MACs Specifies the available MAC (message authentication code) algo‐ rithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are: hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] The default is: [email protected],[email protected], [email protected],[email protected], [email protected], [email protected],[email protected], hmac-sha2-256,hmac-sha2-512,hmac-sha1, [email protected] The list of available MAC algorithms may also be obtained using "ssh -Q mac".
[openssh-5.3p1-123/openssh-5.3p1-124]
Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are "3des-cbc", "aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour128", "arcfour256", "arcfour", "blowfish-cbc", "[email protected]", and "cast128-cbc". The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour,[email protected] MACs Specifies the available MAC (message authentication code) algo- rithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-sepa- rated. The default is: hmac-md5,hmac-sha1,[email protected], hmac-ripemd160,hmac-sha1-96,hmac-md5-96, hmac-sha2-256,hmac-sha2-512,[email protected]
[openssh-4.3p2-82]
Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are "3des-cbc", "aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour128", "arcfour256", "arcfour", "blowfish-cbc", and "cast128-cbc". The default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour MACs Specifies the available MAC (message authentication code) algo- rithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-sepa- rated. The default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
以上紅字的部份都是我們所要停用的演算法!
2. 修改 SSH 的預設值來「保留」安全的加密演算法。以 openssh-5.3p1-123 為例,編輯 /etc/ssh/sshd_config,加入:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512
3. 測試一下 sshd_config 的內容有沒有什麼錯誤:
$ /usr/sbin/sshd -t
4. 重新啟動 sshd:
$ service sshd restart
5. 查看 SSH 的 cipher 與 macs 是否與新的設定相符:
$ /usr/sbin/sshd -T | grep "\(ciphers\|macs\)" ciphers aes128-ctr,aes192-ctr,aes256-ctr macs hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512
6. 實際執行 ssh 連線測試 Server 是否已排除 arcfour 或 hmac-md5:
$ ssh -c arcfour localhost no matching cipher found: client arcfour server aes128-ctr,aes192-ctr,aes256-ctr $ ssh -o macs=hmac-md5 localhost no matching mac found: client hmac-md5 server hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512
這樣就大功告成了!
未來如果又有哪個加密的演算法被列為不安全,也是用一樣的方式來排除。
影響
某些較舊的 SSH 用戶端程式要連到 Server 時,因加密演算法的改變,會出現如下的錯誤訊息:
Cloudn't agree a client-to-server cipher (available: aes128-ctr,aes192-ctr,aes256-ctr)
很感謝你的分享,最近也正好在處理資安 issue,非常棒的知識。