ssh-audit
ssh-audit copied to clipboard
jtesta
Help Hardening Almalinux 8
Greetings everyone!
Im attempting to harden my alma linux 8. I followed the rocky linux 8 guide but Im still getting these:
algorithm recommendations (for OpenSSH 8.0)
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -ecdsa-sha2-nistp256 -- key algorithm to remove (rec) -ssh-rsa -- key algorithm to remove (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) [email protected] -- mac algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) [email protected] -- mac algorithm to remove (rec) [email protected] -- mac algorithm to remove (rec) [email protected] -- mac algorithm to remove
!!! WARNING: unknown algorithm(s) found!: [email protected]. Please email the full output above to the maintainer ([email protected]), or create a Github issue at https://github.com/jtesta/ssh-audit/issues.
If I do:
sudo nano opensshserver.config
I get this:
Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
hardening guide.
KexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
RequiredRSASize 3072
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
What should I do? Please help!
Did that platform originally have a /etc/crypto-policies/back-ends/opensshserver.config file?
What are the full contents of /etc/ssh/sshd_config?
What are the full contents of all files in /etc/ssh/sshd_config.d/?
What command did you use to restart the OpenSSH service?
AlmaLinux is a RHEL-like linux that has system-wide crypto policies. A compliant setup should use a crypto policy, and policy modifications are allowed, for example:
# https://access.redhat.com/articles/3642912
# https://gitlab.com/redhat-crypto/fedora-crypto-policies
# This is a stricter policy than FIPS:OSPP
# message authentication code algorithms
# https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/issues/48
mac@SSH = -*-64* -UMAC-128 -HMAC-SHA1
# Encrypt then MAC. Prioritize the etm over the non-etm macs
ssh_etm = 1
# key exchange algorithms
key_exchange = ECDHE RSA DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS
# Disable weak DH groups and NIST curves
group@SSH = +X25519 +X448 -FFDHE-2048 -SECP256R1 -SECP384R1 -SECP521R1
# Disabled diffie-hellman-group-exchange-sha256, enable for CIS-CAT Pro audit tool
arbitrary_dh_groups = 0
hash = -SHA1
sign = -*-SHA1
sign@SSH = -*-SHA1 +EDDSA-ED25519
min_rsa_size = 2048
min_dh_size = 3072
# encryption algorithms (ciphers)
cipher@SSH = -*-CBC -CHACHA20-POLY1305 +AES-192-CTR -AES*-GCM
ssh_certs = 1
I suppose I'll close this ticket, as @bbaassssiiee gave some instructions.
FYI, if anyone wants to make a community guide for hardening Almalinux, they can create a wiki page, then notify me in order to update the website: https://github.com/jtesta/ssh-audit/wiki/SSH-Hardening-Guides-Index