Disabling 96-bit HMAC And MD5-based HMAC Algorithms in SDWAN Viptela Controller (vManage)
Customer ask is to disable the weak hmac-sha1-96 supported under SSH as this has hit as a critical error as part of Vulnerability Assessment Scan
cat /etc/ssh/sshd_config
Protocol 2
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
UsePrivilegeSeparation yes
Compression yes
ClientAliveInterval 15
ClientAliveCountMax 4
UseDNS no
LoginGraceTime 300
MaxStartups 10:30:100
Banner /etc/issue
Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem netconf /usr/bin/vconfd_netconf_subsys
PubkeyAcceptedKeyTypes +ssh-dss
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key