Skip to content

[Docker] Improve SSH Security by Removing Weak MACs and Adding Stronger Encryption

Summary

Enhance the SSH server configuration (sshd_config) in future releases to improve security by supporting strong encryption algorithms while removing outdated and weak algorithms.

Problem to Solve:

The current SSH server configuration includes weak algorithms (umac-64-etm@openssh.com and umac-64@openssh.com) that are flagged as insecure by security audits. Additionally, there is a need to enforce stronger encryption settings for compliance with modern security standards while maintaining backward compatibility with commonly used algorithms.

Proposed Solution:

Update the sshd_config template to:

  1. Remove weak MAC algorithms while keeping all other default configurations.

    • umac-64-etm@openssh.com
    • umac-64@openssh.com

    This can be achieved by appending the following configuration:

MACs -umac-64-etm@openssh.com,-umac-64@openssh.com

  1. Provide a stronger encryption setup for environments requiring enhanced security by allowing these additional configurations:

    • Ciphers: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr
    • MACs: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com
    • Key Exchange Algorithms (KexAlgorithms): curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group18-sha512
    • HostKeyAlgorithms: ssh-ed25519, ecdsa-sha2-nistp521, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-256

    Full configuration scripts:

# Strong encryption settings
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

# Key exchange algorithms
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256

Benefits:

  • Eliminates weak algorithms that are flagged as security risks.
  • Ensures compliance with modern cryptographic standards.
  • Retention of backward compatibility with widely used secure algorithms.

End Result:

An updated sshd_config that ensures secure SSH connections by default while allowing administrators to further customize settings for high-security environments.

References

  1. Weak MAC algorithms:
    • umac-64-etm@openssh.com
    • umac-64@openssh.com
  2. Recommended settings:
    • Ciphers: chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr
    • MACs: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com
    • KexAlgorithms: curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group18-sha512
    • HostKeyAlgorithms: ssh-ed25519, ecdsa-sha2-nistp521, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-256