Вы, вероятно, установили openjdk-8-jre
, который устанавливает/usr/lib/jvm/java-1.8.0-openjdk-amd64
(на amd64
), но содержит только JRE, а не полный JDK. Чтобы установить JDK, вам также необходимо установить пакет openjdk-8-jdk
.
man sshd_config
описывает Ciphers
.
На Centos 8,man sshd_config
:
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-
separated. If the specified value begins with a ‘+’ character,
then the specified ciphers will be appended to the default set
instead of replacing them. If the specified value begins with a
‘-’ character, then the specified ciphers (including wildcards)
will be removed from the default set instead of replacing them.
The supported ciphers are:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
The default is handled system-wide by crypto-policies(7). To see
the defaults and how to modify this default, see manual page
update-crypto-policies(8).
The list of available ciphers may also be obtained using "ssh -Q
cipher".
CentOS 8 относится к man crypto-policies
, поэтому смотрите там.
В моей системе ls -l /etc/crypto-policies/back-ends | grep ssh
дает подсказку:
lrwxrwxrwx. 1 root root 45 Aug 14 20:36 libssh.config -> /usr/share/crypto-policies/DEFAULT/libssh.txt
lrwxrwxrwx. 1 root root 46 Aug 14 20:36 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt
lrwxrwxrwx. 1 root root 52 Aug 14 20:36 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
$ cat /usr/share/crypto-policies/DEFAULT/opensshserver.txt
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
Этот абзац справочной страницы crypto-policies
является намеком на то, что политика должна измениться наLEGACY
(См. также:man update-crypto-policies
):
PROVIDED POLICY LEVELS
LEGACY
This policy ensures maximum compatibility with legacy systems; it
is less secure and it includes support for TLS 1.0, TLS 1.1, and
SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
allowed, while RSA and Diffie-Hellman parameters are accepted if
larger than 1023 bits. The level provides at least 64-bit security.
· MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
etc.)
· Curves: all prime >= 255 bits (including Bernstein curves)
· Signature algorithms: with SHA1 hash or better (DSA allowed)
· TLS Ciphers: all available >= 112-bit key, >= 128-bit block
(including RC4 and 3DES)
· Non-TLS Ciphers: same as TLS ciphers with added Camellia
· Key exchange: ECDHE, RSA, DHE
· DH params size: >= 1023
· RSA keys size: >= 1023
· DSA params size: >= 1023
· TLS protocols: TLS >= 1.0, DTLS >= 1.0
На самом деле 3des-cbc
присутствует в файле LEGACY.
$ grep -l 3des-cbc /usr/share/crypto-policies/LEGACY/opensshserver.txt
/usr/share/crypto-policies/LEGACY/opensshserver.txt
Или следуйте инструкциям по настройке CUSTOM-политики:
CUSTOM POLICIES
The custom policies can take two forms. First form is a full custom
policy file which is supported by the update-crypto-policies tool in
the same way as the policies shipped along the tool in the package.
The second form can be called a subpolicy or policy modifier. This form
modifies aspects of any base policy file by removing or adding
algorithms or protocols. The subpolicies can be appended on the
update-crypto-policies --set command line to the base policy separated
by the : character. There can be multiple subpolicies appended.
Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
hash and subpolicy GOST that enables support for the various algorithms
specified in Russian GOST standards. You can set the DEFAULT policy
with disabled SHA1 support and enabled GOST support by running the
following command:
update-crypto-policies --set DEFAULT:NO-SHA1:GOST
This command generates and applies configuration that will be
modification of the DEFAULT policy with changes specified in the
NO-SHA1 and GOST subpolicies.
Или следуйте инструкциям по отказу от crypto-policy
для sshd
:
· OpenSSH: Both server and client application inherits the cipher
preferences, the key exchange algorithms as well as the GSSAPI key
exchange algorithms. To opt-out from the policy for client,
override the global ssh_config with a user-specific configuration
in ~/.ssh/config. See ssh_config(5) for more information. To
opt-out from the policy for server, uncomment the line containing
CRYPTO_POLICY= in /etc/sysconfig/sshd.
В старых системах нужно было искать и добавлять или удалять шифры в строке в /etc/ssh/sshd_config
, чтобы отклониться от значений по умолчанию, а затем sshd
перезагружать свою конфигурацию.
Например, на RHEL 7 значение по умолчанию, если Ciphers
не указано:
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
В одной из таких систем можно было бы спросить, удалил ли кто-нибудь 3des-cbc
путем добавления строки Ciphers, поскольку она включена по умолчанию.