Hello, I am using OpenBSD when teaching Unix operating system on University of Ostrava. I have been asked by IT staff to remove hmac-sha1 from OpenSSH on two servers with OpenBSD 7.8 amd64.
Servers reported
mac_algorithms: (10)
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
hmac-sha2-256
hmac-sha2-512
hmac-sha1
I added to sshd_config
MACs
[email protected],[email protected],hmac-sha2-512,hmac-sha2-256
and got
mac_algorithms: (4)
[email protected]
[email protected]
hmac-sha2-512
hmac-sha2-256
I have two questions, please.
1) What are your recommended safe mac_algorithms?
2) Why the default installation have enabled mac_algorithm hmac-sha1,
which the vulnerability scan tool reports as week?
Best regards,
Jiří Navrátil
--
Jiri Navratil, https://openbsd.navratil.info, +420 777 224 245
smime.p7s
Description: S/MIME cryptographic signature
