You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

OCI: Handling Deprecated SSH Cipher Alerts in Environments Using Active Directory

in Linux

Applies To:

Oracle Cloud Infrastructure

Oracle Linux x86_64

Symptoms:

During a vulnerability scan, the system was flagged with QID: 38739 – Deprecated SSH Cryptographic Settings. The scan indicates that CBC-mode ciphers such as aes128-cbc and aes256-cbc are enabled for SSH. However, these ciphers are not explicitly listed in the sshd_config file.

When attempting to remediate the finding by applying stricter cryptographic policies following doc, the server experienced Active Directory login failures. Users were unable to authenticate via AD, and the issue was only resolved by reverting the cryptographic policy back to the default using update-crypto-policies --set DEFAULT.

Cause:

The deprecated SSH CBC ciphers are allowed by the system’s default cryptographic policy, even if not explicitly configured in

Tagged:

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!