Diskussion:Disabling Weak MAC Algorithms on a Secure Shell Server

After installing or upgrading Analytics Server, reconfigure SSH server to use the strong MAC algorithms.

You can identify the available MAC algorithms by using the sudo sshd -T |grep mac command. The MD5 or 96-bit MAC algorithms are considered as weak algorithms. Hence, you must remove the weak algorithms.

To remove the weak MAC algorithms, perform the following:

   Log into Analytics Server with root credentials.

   Open the /etc/ssh/sshd_config file and search for macs.

   Remove the weak MAC algorithms that are mentioned in the file.

   The entry will be similar to the following line and can include additional strong MAC algorithms:

macs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com

Save the file.

Restart the sshd service by using the service sshd restart command.

Launch a new SSH session before closing the existing session.

This verifies the connection and you can log in to the server with the root account.

(Conditional) If the connection to server fails, revert the changes to the sshd_config file.