Remove the deprecated SSH cryptographic settings from VIDM Appliance
search cancel

Remove the deprecated SSH cryptographic settings from VIDM Appliance

book

Article ID: 327325

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

The purpose of this document is to list the steps to mitigate the reported vulnerability.

This document provides mitigation steps specifically when the MAC algorithm considered weak is used due to a weak hashing function.

Symptoms:

Security scans on VIDM Appliance may report the below:

"The SSH server supports cryptographically weak Hash-Based Message Authentication Codes (HMACs)"
The scan report will also list the insecure algorithms that it may have found e.g.

Insecure algorithms in use:



Environment

VMware Identity Manager 3.3.x

Cause

SSH MAC algorithms are used to validate data integrity and authenticity. 
The MAC algorithm uses a message and private key to generate the fixed-length MAC.

MAC algorithms may be considered weak for the following reasons:

  1. A known weak hashing function is used (MD5)
  2. The digest length is too small (Less than 128 bits)
  3. The tag size is too small (Less than 128 bits)

Resolution

If you are running a cluster deployment, repeat the below steps on all additional nodes of the cluster.
  1. Backup the config files 
    • cp /etc/ssh/ssh_config /etc/ssh/ssh_config.old
    • cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.old
  2. Open the below config files one by one 
    • vim /etc/ssh/ssh_config 
    • vim /etc/ssh/sshd_config 
  3. Remove the below MAC’s and save the config files 
  4. Restart the SSHD service.
    • systemctl restart sshd