I got an automated PCI security test result that checked various server configurations. The automated test determined the server to be unsafe due to the use of sha1 algorithm in some elements of the ssh configuration.
The configuration can be seen when running ssh -vvv, so here’s the relevant part of that output. I snipped out the other algorithms that are available on this particular server, but several are available.
debug2: KEX algorithms: ...snip...diffie-hellman-group14-sha1 debug2: MACs ctos: hmac-sha1...snip...
It’s the use of:
- diffie-hellman-group14-sha1 in the key exchange algorithms
- hmac-sha1 in the MACs from client to server
I’ve searched this site a bit and I don’t see much data about whether these algorithms are 1) in use 2) considered insecure for a PCI compliant site in 2019.