修補 CVE-2023-48795 方式
系統環境
- OS: Rocky Linux 8
檢測方式
使用有風險的加密方式登入,無法登入則驗證通過
ssh -oCiphers=[email protected],3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [email protected]
出現下列訊息算完成修補
Unable to negotiate with 192.168.122.81 port 22: no matching cipher found. Their offer: [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
修補方式
- 更新文件: /etc/sysconfig/sshd
將 #CRYPTO_POLICY= 取消註解,結果如下
CRYPTO_POLICY=
- 更新文件: /etc/ssh/sshd_config
新增限制加密演算法
KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
- 檢查設定正確
sudo sshd -t
- 重啟 sshd 服務
sudo systemctl restart sshd