Validate SSH hardening to address the vulnerabilities

Kaushal Shriyan kaushalshriyan at gmail.com
Tue May 25 22:34:34 AEST 2021


Hi,

I am running openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release
7.9.2009 (Core).

#cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#rpm -qa | grep -i ssh
openssh-clients-7.4p1-21.el7.x86_64
libssh2-1.8.0-4.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
#

I have configured the below SSH configuration as part of hardening to
address vulnerabilities.

KexAlgorithms curve25519-sha256,curve25519-sha256 at libssh.org
> ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
> Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,
> aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com


Is there a way to validate if the above Key exchange, Cipher and MAC
algorithms address the vulnerabilities? Please guide. Thanks in advance.

Best Regards,

Kaushal


More information about the openssh-unix-dev mailing list