Linux 弱加密算法修复
1:环境描述
os版本:
Red Hat Enterprise Linux Server release 6.6 (Santiago)
ssh 版本:
[root@test ~]# ssh -version OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 Bad escape character 'rsion'.
2.漏洞修复:
升级openssh版本为7.0后版本或将/etc/ssh/sshd_config中Ciphers修改为Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
3.问题
当ssh中配置如下功能时,在其后加入Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc将会报错
136 # Example of overriding settings on a per-user basis 137 #Match User anoncvs 138 # X11Forwarding no 139 # AllowTcpForwarding no 140 # ForceCommand cvs server 141 Match Group sftp #开启配置 142 X11Forwarding no #开启配置 143 AllowTcpForwarding no #开启配置 144 ChrootDirectory %h #开启配置 145 ForceCommand internal-sftp #开启配置
146
147 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc #当配置在此时 重启ssh服务报如下错误
报错信息
[root@test ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: /etc/ssh/sshd_config line 144: Directive 'Ciphers' is not allowed within a Match block [FAILED]
解决方法:
将Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc配置到开启设置的前面执行
例如:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc #放在以下功能的上面配置 # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server Match Group sftp X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp
此时在重启ssh服务正常执行