Disable weak ciphers on vSphere Replication 8.7 - scanning reports show "SSH Weak Message Authentication Code Algorithms"
search cancel

Disable weak ciphers on vSphere Replication 8.7 - scanning reports show "SSH Weak Message Authentication Code Algorithms"

book

Article ID: 379716

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

  • Security scanner has determined that a weak cipher is in used.
  • Flagged cipher is ssh-rsa or another sha1 based cipher.
  • When customer runs a scan for vulnerability, they might get "SSH Weak Message Authentication Code Algorithms" and/or description with "The SSH server supports cryptographically weak Hash-based message authentication" 

Environment

VMware vSphere Replication 8.7

Resolution

This issue will be fixed in future product release.

Workaround:

The following workaround is to be applied on every VRMS appliance:

1. SSH to the appliance as "root".

2. Create a copy of sshd_config file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

3. Use vi, or vim editor to add the following lines to the bottom of the file to exclude SHA1:

KexAlgorithms -diffie-hellman-group14-sha1
HostkeyAlgorithms -ssh-rsa

4. Restart sshd service:
# systemctl restart sshd

Additional Information

SHA1 is already disabled in newer versions of vSphere Replication.