脆弱な server_host_key_algorithm 「 ssh-dss 」を ONTAP で無効にする方法

最後の更新
PDFとして保存

Views:: 82

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

のしんだ

に適用されます

ONTAP 9
ネットワークセキュリティ

問題

脆弱性スキャナが SSH サーバの公開キーが小さすぎることを報告しました :

2 port 22/tcp SSH Server Public Key Too Small QID: 38738 Category: General remote services CVE ID: Vendor Reference: Bugtraq ID: Service Modified: 01/03/2019 User Modified: Edited: No PCI Vuln: Yes THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The SSH Server is using a small Public Key. Best practices require that RSA digital signatures be 2048 or more bits long to provide adequate security. Key lengths of 1024 are acceptable through 2013, but since 2011 they are considered deprecated. For more information, please refer to NIST Special Publication 800-131A (http://nvlpubs.nist.gov/nistpubs/Spe...800-131Ar1.pdf (http://nvlpubs.nist.gov/nistpubs/Spe...800-131Ar1.pdf)). Only server keys that are not part of a certificate are reported in this QID. OpenSSH certificates using short keys are reported in QID 38733. X.509 Scan Results page 8 certificates using short keys are reported in QID 38171. IMPACT: A man-in-the-middle attacker can exploit this vulnerability to record the communication to decrypt the session key and even the messages. SOLUTION: DSA keys and RSA keys shorter than 2048 bits are considered vulnerable. It is recommended to install a RSA public key length of at least 2048 bits or greater, or to switch to ECDSA or EdDSA. COMPLIANCE: Not Applicable EXPLOITABILITY: There is no exploitability information for this vulnerability. ASSOCIATED MALWARE: There is no malware information for this vulnerability. RESULTS: Algorithm Length ssh-dss 1024 bits