Steps to disable sha1-based algorithms from the SSHD configuration in SDDC Manager
search cancel

Steps to disable sha1-based algorithms from the SSHD configuration in SDDC Manager

book

Article ID: 313325

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Symptoms:

Security scans (e.g., Qualys) might identify the use of weak SHA-1-based algorithms on port 22 (sshd) of SDDC Manager.

These ciphers include:

  • KexAlgorithms diffie-hellman-group14-sha1

  • HostKeyAlgorithms ssh-rsa

  • MACs hmac-sha1 [email protected]

These ciphers are considered insecure due to known vulnerabilities in the SHA-1 hashing algorithm.


 


Environment

VMware Cloud Foundation 4.2

Cause

Security scans (e.g., Qualys) might identify the use of weak SHA-1-based algorithms on port 22 (sshd) of SDDC Manager.

Resolution

To resolve the issue, please follow the below mentioned steps:

Note: Please ensure to take SDDC Manager snapshot before making any changes.

  1. Take a snapshot of SDDC Manager.

  2. Download the disable-sha1-support.sh and hardenssh.sh scripts attached to the KB.

  3. Transfer the script to the SDDC manager, or copy the contents to a file on the SDDC Manager.

Ideally put the script in /tmp.

  1. SSH to the SDDC Manager with the vcf user, and su root

  2. Make the script executable.

chmod +x /tmp/hardenssh.sh /tmp/disable-sha1-support.sh

  1. Execute the script.

/cd /tmp
/tmp/hardenssh.sh /etc/ssh/sshd_config

  1. Sample output of successful execution of the script
image-2024-2-20_14-35-33.png

  1. Restart sshd service.
    systemctl restart sshd.service

Notes:
The above script removes the following sha-1 based algorithms from sshd_config file.

KexAlgorithms diffie-hellman-group14-sha1
HostKeyAlgorithms ssh-rsa,ssh-ed25519,[email protected],[email protected]
MACs [email protected],hmac-sha1

 


Attachments

hardenssh get_app
disable-sha1-support get_app
Powered by Wolken Software