Hmac-md5-96 bit need to be disable

rakesh · February 6, 2024, 4:18am

We have done the VULNERABILITIES scanning and it’s says to disable the hmac-md5-96 bit need to be disable but in our ssh configuration file we have added the entry to disable to hmac-md5-96.

Ciphers chacha20-poly1305@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com ,aes256-gcm@openssh.com
#MACs hmac-md5,umac-64@openssh.com,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
MACs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com ,hmac-sha2-256-etm@openssh.com ,hmac-sha2-512-etm@openssh.com,hmac-sha1-96,hmac-md5-96

But still the VULNERABILITIES is not get closing can u help me on this.

nazunalika · February 7, 2024, 2:16am

Changing ciphers in the sshd_config file will not get you very far, as it is dictated by the crypto-policy on the system.

I recommend reading the following articles:

rakesh · February 8, 2024, 3:34pm

@nazunalika ,

I have changed cryptographic from Legacy to Default but after that when we do the VULNERABILITIES scanning now it’s giving below error.

Insecure MAC algorithms in use: hmac-sha1-etm@openssh.com,hmac-sha1

Where we have removed the those lines in the sshd config file as well in /etc/crypto-policies/back-ends/openssh.config file

Can you people pls help me on this issue

rakesh · February 9, 2024, 4:19am

Issue fixed, thanks @nazunalika for your support.

system · April 9, 2024, 4:20am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.