Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
SSH weak MAC algorithms e...

SSH weak MAC algorithms enabled

Created: Apr 14, 2020 12:17:08Latest reply: Apr 19, 2022 08:11:48 886 3 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi,

Our customer get a report “SSH weak MAC algorithms enabled” after the security scanning. I checked the scanning result and found the enabled MAC algorithms including hmac-sha2-256, hmac-sha2-256-96 and hmac-sha1-96.

Kindly help to figure out which algorithm(s) should I remove to terminate the weak algorithms enabled warning?

BTW, the switch is CE5855, and version is V200R005C00.

Thanks.


Like (0) Dislike (0) Favorite(0) Share Report
Previous: Understand key point of IPoE versus PPPoE
Next: AR Router MVPN Configuration
Featured Answers

Best answer

Recommended answer

(0) (0)
chenhui
Admin Created Apr 14, 2020 12:36:10

Hi @user_3445655,
From the documentation, the weak algorithms of the algorithms your listed are hmac-sha2-256-96 and hmac-sha1-96.
Kindly disable these two algorithms to terminate the warnings.
You can refer to the example below:
<HUAWEI> system-view
[~HUAWEI] ssh server hmac sha2_256

For more deatils, you can refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100020548&id=ssh_server_hmac&lang=en
View more
  • x
  • convention:
(0) (0)
from 4#
DDSN
DDSN Admin Created 2 days 08:11

As with most encryption schemes, SSH MAC algorithms are used to validate data integrity and authenticity. A ‘MAC algorithm’ should not be conflated with a MAC (Message Authentication Code) as these are two distinct components. The MAC algorithm uses a message and private key to generate the fixed-length MAC.

MAC algorithms may be considered weak for the following reasons:
A known weak hashing function is used (MD5)
The digest length is too small (Less than 128 bits)
The tag size is too small (Less than 128 bits)

The following are the most common weak MAC algorithms encountered:
hmac-md5
hmac-md5-96
hmac-sha1-96
hmac-sha2-256-96
hmac-sha2-512-96
View more
  • x
  • convention:
All Answers
(0) (0)
2#
chenhui
chenhui Admin Created Apr 14, 2020 12:19:37

Hi,
Kindly wait a second, we are processing on you problem.
View more
  • x
  • convention:
(0) (0)
3#
chenhui
chenhui Admin Created Apr 14, 2020 12:36:10

Hi @user_3445655,
From the documentation, the weak algorithms of the algorithms your listed are hmac-sha2-256-96 and hmac-sha1-96.
Kindly disable these two algorithms to terminate the warnings.
You can refer to the example below:
<HUAWEI> system-view
[~HUAWEI] ssh server hmac sha2_256

For more deatils, you can refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100020548&id=ssh_server_hmac&lang=en
View more
  • x
  • convention:
(0) (0)
4#
DDSN
DDSN Admin Created 2 days 08:11

As with most encryption schemes, SSH MAC algorithms are used to validate data integrity and authenticity. A ‘MAC algorithm’ should not be conflated with a MAC (Message Authentication Code) as these are two distinct components. The MAC algorithm uses a message and private key to generate the fixed-length MAC.

MAC algorithms may be considered weak for the following reasons:
A known weak hashing function is used (MD5)
The digest length is too small (Less than 128 bits)
The tag size is too small (Less than 128 bits)

The following are the most common weak MAC algorithms encountered:
hmac-md5
hmac-md5-96
hmac-sha1-96
hmac-sha2-256-96
hmac-sha2-512-96
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.