Avamar:“SSH Server Public Key Too Small”和“Deprecated SSH Cryptographic Settings”(SSH 服务器公钥太小)和“弃用的 SSH 加密设置”(Deprecated SSH Cryptographic Settings)在安全扫描报告中报告

Summary: 安全扫描报告中报告了漏洞“SSH Server Public Key Too Small”和“Deprecated SSH Cryptographic Settings”。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

安全扫描报告中报告了以下安全漏洞。

Title: SSH Server Public Key Too Small

Results: Algorithm Length ssh-rsa 1024 bit

Threat: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The SSH Server is using a small Public Key.
Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated. 
For more information, please refer to NIST Special Publication 800-131A (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).
Only server keys that are not part of a certificate are reported in this QID.

QID: 38739
Title: Deprecated SSH Cryptographic Settings
Results: Type    Name
key exchange    diffie-hellman-group1-sha1
cipher    arcfour256
cipher    arcfour128
cipher    3des-cbc
cipher    blowfish-cbc
cipher    cast128-cbc
cipher    arcfour
Threat: The target is using deprecated SSH cryptographic settings to communication

Cause

SSH 默认情况下,公钥配置为 1024 位而不是 2048 位,并且可能使用已弃用的 SSH 加密设置。

Resolution

1.以“管理员”身份登录到 Avamar 实用程序节点。

2.提升到 root 权限。

3.确定可能使用的密码:

cat /etc/ssh/sshd_config | grep -i ciphers
 

输出示例:

# Ciphers and keying
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
 

4.运行以下命令,然后确认使用了哪些密码:

ssh -Q cipher
 

输出示例:

3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
 

5.创建 的备份拷贝 /etc/ssh/sshd_config 文件中:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%y%m%d`
 

6.使用 vi,编辑 /etc/ssh/sshd_config 文件中:

vi /etc/ssh/sshd_config
 

7.进行以下更改:

一个。删除安全扫描报告中列出的任何已弃用的 SSH 加密设置。在此示例中,下面列出了:

cipher    arcfour256
cipher    arcfour128
cipher    3des-cbc
cipher    blowfish-cbc
cipher    cast128-cbc
cipher    arcfour
 

b.将以下参数从 1024 更改为 2048:

ServerKeyBits 2048
 

c. 删除这些行上的注释,以指定 SSH 将使用哪些密钥:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
 

8.检查以下每个键的大小:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
 

输出示例:

2048 82:4e:33:4a:1f:e6:81:7f:ef:c7:4c:1f:c7:b2:ce:59 [MD5]  root@linux-host1 (RSA)
 
  
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
 

输出示例:

256 a9:2b:e7:0b:ab:0b:be:2f:d4:9b:6c:2d:6c:fb:3d:e9 [MD5]  root@linux-host1 (ECDSA)
 
  
ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
 

输出示例:

256 65:c5:1e:1c:ac:a3:7c:05:90:21:a3:3c:7e:d6:d4:bd [MD5]  root@linux-host1 (ED25519)
 

如果大小(输出中的第一个数字,以红色突出显示)小于上面的输出,则必须生成新密钥。

如果需要,请为一个或多个密钥运行适用的命令以生成:

sudo ssh-keygen -N '' -b 2048 -t rsa -f /etc/ssh/ssh_host_rsa_key 
sudo ssh-keygen -N '' -b 256 -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key 
sudo ssh-keygen -N '' -b 256 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
 

确认任何密钥覆盖:

Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
47:60:91:14:b1:15:6e:6d:ea:e9:36:37:31:08:d3:69 root@vmtest-debian8
The key's randomart image is:
+---[RSA 2048]----+
|       .B=o.     |
|       ..= .     |
|        ..+.o    |
|        ooEo     |
|        S+o.     |
|         o..o    |
|          o  o   |
|         .o o    |
|         ..o .   |
+-----------------+
 

9.验证配置不包含任何错误:

sshd -t

应该没有输出。如果存在错误,请更正后再继续。

10.重新启动 sshd 服务:

service sshd restart
 

11.要检查在应用这些更改后接受哪些密码,请对前面列出的每个密码运行以下命令:

ssh -c "cipher_name" localhost
    • 如果接受密码,则输出应与附录 A 匹配
    • 如果密码被拒绝,则输出应与附录 B 匹配

Additional Information

附录 A:

root@hostname:~/#: ssh -c "cipher_name" localhost 
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Last login: Mon Oct  1 14:05:28 2018 from XX.XX.XX.XXX
*****************************************************************
*                                                               *
*     This is the Avamar Virtual Appliance                      *
*                                                               *
* Please read the documentation before performing               *
* any administrative functions on this node.                    *
* For help, contact EMC at 877.534.2867 (USA only) or           *
* https://support.emc.com.                                      *
*                                                               *
*****************************************************************
root@hostname:~/#:
 

附录 B:

root@hostname:~/#: ssh -c "cipher_name" localhost
no matching cipher found: client "cipher_name" server valid_cipher, valid_cipher, valid_cipher

Affected Products

Avamar, Avamar Server
Article Properties
Article Number: 000050936
Article Type: Solution
Last Modified: 18 Sep 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.