centos8에서 3des-cbc를 활성화하는 방법

man sshd_config설명하다 Ciphers.

Centos 8에서 man sshd_config:

 Ciphers
         Specifies the ciphers allowed.  Multiple ciphers must be comma-
         separated.  If the specified value begins with a ‘+’ character,
         then the specified ciphers will be appended to the default set
         instead of replacing them.  If the specified value begins with a
         ‘-’ character, then the specified ciphers (including wildcards)
         will be removed from the default set instead of replacing them.

         The supported ciphers are:

               3des-cbc
               aes128-cbc
               aes192-cbc
               aes256-cbc
               aes128-ctr
               aes192-ctr
               aes256-ctr
               [email protected]
               [email protected]
               [email protected]

         The default is handled system-wide by crypto-policies(7).  To see
         the defaults and how to modify this default, see manual page
         update-crypto-policies(8).

         The list of available ciphers may also be obtained using "ssh -Q
         cipher".

CentOS 8은 그것을 참조 man crypto-policies하므로 거기를 보십시오.

내 시스템에서는 다음과 ls -l /etc/crypto-policies/back-ends | grep ssh같은 단서를 제공합니다.

lrwxrwxrwx. 1 root root 45 Aug 14 20:36 libssh.config -> /usr/share/crypto-policies/DEFAULT/libssh.txt
lrwxrwxrwx. 1 root root 46 Aug 14 20:36 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt
lrwxrwxrwx. 1 root root 52 Aug 14 20:36 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt

$ cat /usr/share/crypto-policies/DEFAULT/opensshserver.txt
CRYPTO_POLICY='[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'

매뉴얼 페이지의 이 섹션에서는 crypto-policies정책을 다음으로 변경해야 한다고 제안합니다 ( : LEGACY참조 ).man update-crypto-policies

PROVIDED POLICY LEVELS
   LEGACY
       This policy ensures maximum compatibility with legacy systems; it
       is less secure and it includes support for TLS 1.0, TLS 1.1, and
       SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
       allowed, while RSA and Diffie-Hellman parameters are accepted if
       larger than 1023 bits. The level provides at least 64-bit security.
       ·   MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
           etc.)
       ·   Curves: all prime >= 255 bits (including Bernstein curves)
       ·   Signature algorithms: with SHA1 hash or better (DSA allowed)
       ·   TLS Ciphers: all available >= 112-bit key, >= 128-bit block
           (including RC4 and 3DES)
       ·   Non-TLS Ciphers: same as TLS ciphers with added Camellia
       ·   Key exchange: ECDHE, RSA, DHE
       ·   DH params size: >= 1023
       ·   RSA keys size: >= 1023
       ·   DSA params size: >= 1023
       ·   TLS protocols: TLS >= 1.0, DTLS >= 1.0

실제로 3des-cbcLEGACY 파일에 존재합니다.

$ grep -l 3des-cbc /usr/share/crypto-policies/LEGACY/opensshserver.txt
/usr/share/crypto-policies/LEGACY/opensshserver.txt

또는 맞춤 정책 설정에 대한 지침을 따르세요.

CUSTOM POLICIES
   The custom policies can take two forms. First form is a full custom
   policy file which is supported by the update-crypto-policies tool in
   the same way as the policies shipped along the tool in the package.

   The second form can be called a subpolicy or policy modifier. This form
   modifies aspects of any base policy file by removing or adding
   algorithms or protocols. The subpolicies can be appended on the
   update-crypto-policies --set command line to the base policy separated
   by the : character. There can be multiple subpolicies appended.

   Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
   hash and subpolicy GOST that enables support for the various algorithms
   specified in Russian GOST standards. You can set the DEFAULT policy
   with disabled SHA1 support and enabled GOST support by running the
   following command:

   update-crypto-policies --set DEFAULT:NO-SHA1:GOST

   This command generates and applies configuration that will be
   modification of the DEFAULT policy with changes specified in the
   NO-SHA1 and GOST subpolicies.

또는 다음 항목을 선택 해제 crypto-policy하려면 지침을 따르세요 sshd.

   ·   OpenSSH: Both server and client application inherits the cipher
       preferences, the key exchange algorithms as well as the GSSAPI key
       exchange algorithms. To opt-out from the policy for client,
       override the global ssh_config with a user-specific configuration
       in ~/.ssh/config. See ssh_config(5) for more information. To
       opt-out from the policy for server, uncomment the line containing
       CRYPTO_POLICY= in /etc/sysconfig/sshd .

이전 시스템에서는 사람들이 기본값에서 벗어나기 위해 한 줄에서 비밀번호를 찾아 추가하거나 제거했으며 /etc/ssh/sshd_config, 이로 인해 sshd구성이 다시 로드되었습니다.

예를 들어 RHEL 7에서는 Ciphers기본값이 지정되지 않습니다.

Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

시스템 중 하나에서는 3des-cbc기본적으로 켜져 있기 때문에 누군가가 비밀번호 줄을 추가하여 이를 제거했는지 묻는 질문을 받았습니다.