#StackBounty: #ssh #pci-dss #sha Are the sha1 hashes used by common ssh configurations insecure?

Bounty: 50

I got an automated PCI security test result that checked various server configurations. The automated test determined the server to be unsafe due to the use of sha1 algorithm in some elements of the ssh configuration.

The configuration can be seen when running ssh -vvv, so here’s the relevant part of that output. I snipped out the other algorithms that are available on this particular server, but several are available.

debug2: KEX algorithms: ...snip...diffie-hellman-group14-sha1
debug2: MACs ctos: hmac-sha1...snip...

It’s the use of:

  • diffie-hellman-group14-sha1 in the key exchange algorithms
  • hmac-sha1 in the MACs from client to server

I’ve searched this site a bit and I don’t see much data about whether these algorithms are 1) in use 2) considered insecure for a PCI compliant site in 2019.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.