如何在 Linux 上为 ssh 禁用基于 MD5 的 HMAC 算法 ？

1. 确保我们已将 openssh 包更新到最新的可用版本。

2. 要更改正在使用的密码/md5 需要修改 sshd_config 文件，我们可以按照手册页添加密码和 MAC 选项。
   例如：

# vi /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

从 sshd_config 的手册页：

# man sshd_config
     Ciphers
             Specifies the ciphers allowed for protocol version 2.  Multiple ciphers must be comma-separated.  The supported ciphers are
             “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”,
             “arcfour”, “blowfish-cbc”, “rijndael-cbc@lysator.liu.se”, and “cast128-cbc”.  The default is:
                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
     MACs    Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used in protocol version 2 for data
             integrity protection.  Multiple algorithms must be comma-separated.  The default is:
                   hmac-md5,hmac-sha1,umac-64@openssh.com,
                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

3. 重启sshd服务。

# service sshd restart       ### For CentOS/RHEL 6
# systemctl restart sshd     ### For CentOS/RHEL 7