For this lab, you'll need the VM that you've been using as a scanner, and another Ubuntu 18.04 VM to scan and configure. Let's get started:
- If you haven't done so already, scan the Ubuntu 18.04 VM and save the output to a file:
sudo ssh_scan -t 192.168.0.7 -o ssh_scan-7.json
- On the target Ubuntu 18.04 VM, open the /etc/ssh/sshd_config file in your preferred text editor. Toward the top of the file, find these two lines:
# Ciphers and keying
#RekeyLimit default none
- Beneath those two lines, insert these three lines:
Ciphers -aes128-ctr,aes192-ctr,[email protected]
KexAlgorithms ecdh-sha2-nistp384
MACs [email protected],hmac-sha1,[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256
In the Ciphers and MACs lines, you see a comma-separated list of algorithms that were disabled by the preceding - sign. (You only need one - to disable all the algorithms in the list.) In the KexAlgorithms line, there's no - sign. This means that the algorithm that's listed on that line is the only one that is enabled.
- Save the file and restart the SSH daemon. Verify that it started correctly:
sudo systemctl restart ssh
sudo systemctl status ssh
- Scan the Ubuntu 18.04 VM again, saving the output to a different file:
sudo ssh_scan -t 192.168.0.7 -o ssh_scan-7-modified.json
- On the scanner VM, use diff to compare the two files. You should see fewer algorithms than you saw previously:
diff -y ssh_scan_results-7.json ssh_scan_results-7-modified.json
The sharp-eyed among you will notice that we left one Cipher that isn't on the NIST CNSA list. [email protected] is a lightweight algorithm that's good for use with low-powered, hand-held devices. It's a good, strong algorithm that can replace the venerable Advanced Encryption Standard (AES) algorithm, but with higher performance. However, if you have to remain 100% compliant with the NIST CNSA standard, then you might have to disable it.
You've reached the end of the lab – congratulations!
Next, let's work with CentOS 7.