Avamar:安全性掃描報告中報告「SSH 伺服器公開金鑰太小」和「已淘汰的 SSH 密碼編譯設定」

Summary: 安全性掃描報告中會報告漏洞「SSH 伺服器公開金鑰太小」&「已淘汰的 SSH 密碼編譯設定」。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

安全性掃描報告中回報了以下安全漏洞。

Title: SSH Server Public Key Too Small

Results: Algorithm Length ssh-rsa 1024 bit

Threat: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The SSH Server is using a small Public Key.
Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated. 
For more information, please refer to NIST Special Publication 800-131A (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).
Only server keys that are not part of a certificate are reported in this QID.

QID: 38739
Title: Deprecated SSH Cryptographic Settings
Results: Type    Name
key exchange    diffie-hellman-group1-sha1
cipher    arcfour256
cipher    arcfour128
cipher    3des-cbc
cipher    blowfish-cbc
cipher    cast128-cbc
cipher    arcfour
Threat: The target is using deprecated SSH cryptographic settings to communication

Cause

可使用 SSH 公鑰預設配置為 1024 位而不是 2048 位,並且可能使用已棄用的 SSH 密碼編譯設定。

Resolution

1.以系統管理員身分登入 Avamar Utility Node。

2.提升至 root 權限。

3.確定可以使用哪些密碼:

cat /etc/ssh/sshd_config | grep -i ciphers
 

範例輸出:

# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
 

4.執行下列命令,然後確認使用哪些密碼:

ssh -Q cipher
 

範例輸出:

3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
 

5.製作 /etc/ssh/sshd_config 檔案:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%y%m%d`
 

6.使用 vi,編輯 /etc/ssh/sshd_config 檔案:

vi /etc/ssh/sshd_config
 

7.進行以下變更:

一個。刪除安全掃描報告中列出的任何已棄用的 SSH 加密設置。在此範例中,下面列出了那些:

cipher    arcfour256
cipher    arcfour128
cipher    3des-cbc
cipher    blowfish-cbc
cipher    cast128-cbc
cipher    arcfour
 

b.將以下參數從 1024 更改為 2048:

ServerKeyBits 2048
 

c. 刪除這些行上的註釋以指定 SSH 將使用的金鑰:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
 

8.檢查以下每個鍵的大小:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
 

範例輸出:

2048 82:4e:33:4a:1f:e6:81:7f:ef:c7:4c:1f:c7:b2:ce:59 [MD5]  root@linux-host1 (RSA)
 
  
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
 

範例輸出:

256 a9:2b:e7:0b:ab:0b:be:2f:d4:9b:6c:2d:6c:fb:3d:e9 [MD5]  root@linux-host1 (ECDSA)
 
  
ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
 

範例輸出:

256 65:c5:1e:1c:ac:a3:7c:05:90:21:a3:3c:7e:d6:d4:bd [MD5]  root@linux-host1 (ED25519)
 

如果大小 (輸出中的第一個數字,以紅色強調顯示) 低於上述輸出,則必須產生新金鑰。

如有需要,請執行適用的命令,以產生一個或多個金鑰:

sudo ssh-keygen -N '' -b 2048 -t rsa -f /etc/ssh/ssh_host_rsa_key 
sudo ssh-keygen -N '' -b 256 -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key 
sudo ssh-keygen -N '' -b 256 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
 

確認任何金鑰覆寫:

Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
47:60:91:14:b1:15:6e:6d:ea:e9:36:37:31:08:d3:69 root@vmtest-debian8
The key's randomart image is:
+---[RSA 2048]----+
|       .B=o.     |
|       ..= .     |
|        ..+.o    |
|        ooEo     |
|        S+o.     |
|         o..o    |
|          o  o   |
|         .o o    |
|         ..o .   |
+-----------------+
 

9.確認組態未包含任何錯誤:

sshd -t

此情況下不應有輸出。如果存在錯誤,請在繼續之前更正它們。

10.重新啟動 sshd 服務:

service sshd restart
 

11.若要在應用這些更改后檢查接受的密碼,請針對前面列出的每個密碼運行以下命令:

ssh -c "cipher_name" localhost
    • 如果接受密碼,輸出結果應與附錄 A 相符
    • 如果密碼被拒絕,輸出結果應與附錄 B 匹配

Additional Information

附錄 A:

root@hostname:~/#: ssh -c "cipher_name" localhost 
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Last login: Mon Oct  1 14:05:28 2018 from XX.XX.XX.XXX
*****************************************************************
*                                                               *
*     This is the Avamar Virtual Appliance                      *
*                                                               *
* Please read the documentation before performing               *
* any administrative functions on this node.                    *
* For help, contact EMC at 877.534.2867 (USA only) or           *
* https://support.emc.com.                                      *
*                                                               *
*****************************************************************
root@hostname:~/#:
 

附錄 B:

root@hostname:~/#: ssh -c "cipher_name" localhost
no matching cipher found: client "cipher_name" server valid_cipher, valid_cipher, valid_cipher

Affected Products

Avamar, Avamar Server
Article Properties
Article Number: 000050936
Article Type: Solution
Last Modified: 18 Sep 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.