Skip to content
Snippets Groups Projects
Commit 75556bf3 authored by Jörg Sachse's avatar Jörg Sachse
Browse files

sec: implement Terrapin (CVE-2023-48795) config mitigations while patches are unavailable

parent 7200fc1c
No related branches found
No related tags found
No related merge requests found
Pipeline #5621 failed
Stage: test
Hide whitespace changes
Inline Side-by-side
tasks/configure_ssh_hardening.yml
+ 4
1
View file @ 75556bf3
......@@ -56,6 +56,9 @@
KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
# disable weak Ciphers (crypto algorithms)
# NVT OID: 1.3.6.1.4.1.25623.1.0.105611
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
# Also explicitely disable ChaCha ciphers for "Terrapin" (CVE-2023-48795)
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,-chacha20-poly1305@openssh.com
# Explicitely disable -ETM MACs for "Terrapin" (CVE-2023-48795)
MACs hmac-sha2-512,hmac-sha2-256,-*etm@openssh.com
notify:
- restart sshd
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

DE: Impressum · Datenschutzerklärung | EN: Legal Notice · Privacy Policy