Scheduled maintenance: Community available only in read-only mode until 6:00 AM (PT)

Stronger SSH MAC Algorithms

Submitted by
Status: New Idea

Upgrade the SSH used to support/default to stronger MAC algorithms.  Pen test/vuln scans are showing detected vulnerabilities due to hmac-md5 setting.  Please upgrade to support:

 

hmac-sha2-256,hmac-sha2-512

 

I have confirmed this exists on unifi switches, I haven't tested for the issue on the usg, but I would assume it is there as well.

Comments
by
on ‎04-20-2019 05:50 PM
Confirming above issue, also confirming it exists on UniFi AP-AC-LR and UniFi AP-AC-Pro currently running 4.0.21.9965, so I'd suspect it's a weakness in the entire range of UniFi AP and Switch products. Doesn't appear to be an issue on USG4P running 4.4.36.5146617 - I'm guessing as that is based off a completely different source tree. Yes, we could whitelist this error on our scanners but to be fair anyone whitelisting SSH server setup warnings arguably needs to reconsider their career choices Man Wink I realise there may be some performance hit during login or initial key generation, but honestly MD5 and SHA1 have absolutely no place in anything claiming to provide security. If this were 2009, I'd consider it a feature request. In 2019, this is nothing but a straight up security flaw bug.