SSH Weak MAC Algorithms Enabled

Nessus Output

Description

The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.


Output from CentOS 7 system:

The following client-to-server Message Authentication Code (MAC) algorithms
are supported : 

 hmac-md5
 hmac-md5-96
 [email protected]
 [email protected]
 hmac-sha1-96
 [email protected]

The following server-to-client Message Authentication Code (MAC) algorithms
are supported : 

 hmac-md5
 hmac-md5-96
 [email protected]
 [email protected]
 hmac-sha1-96
 [email protected]

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

and restart ssh

systemctl restart sshd