Ciphers -chacha20-poly1305@openssh.com MACs -*etm@openssh.comSSHのセキュリティ弱体化攻撃「Terrapin」の対策公開、JPCERT/CC | TECH+(テックプラス) 2023
# Ciphers # chacha20-poly1305@openssh.com, # aes128-ctr,aes192-ctr,aes256-ctr, # aes128-gcm@openssh.com,aes256-gcm@openssh.com # # CVE-2023-48795 Workaround Ciphers -chacha20-poly1305@openssh.com # KexAlgorithms # sntrup761x25519-sha512@openssh.com, # curve25519-sha256,curve25519-sha256@libssh.org, # ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, # diffie-hellman-group-exchange-sha256, # diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, # diffie-hellman-group14-sha256 # # Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater) # disable diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 # MACs # umac-64-etm@openssh.com,umac-128-etm@openssh.com, # hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, # hmac-sha1-etm@openssh.com, # umac-64@openssh.com,umac-128@openssh.com, # hmac-sha2-256,hmac-sha2-512,hmac-sha1 # # Weak MAC Algorithm(s) Supported (SSH) # disable umac-64-etm@openssh.com,umac-64@openssh.com # CVE-2023-48795 Workaround # MACs -*etm@openssh.com MACs umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1