As it needs a lot of re-working to eliminate CVE-2023-48795.

We instead apply a mitigation to address CVE-2023-48795 by disabling the following encryptions and MACs by default:

Encryption

chacha20-poly1305@openssh.com


MAC

the MACs with -etm@openssh.com suffix.



For more information, you may find on this NIST report.

Nexus vulnerability scanning

PASSED (report by @timlai).


connection test with specified encryption (ssh <server name> -c <encryption>)

PASSED (the server should reject the connection)


connection test with specified MAC (ssh <server name> -m <MAC>)

PASSED (the server should reject the connection)


APV terminal output of ssh cipher

PASSED (should show New ciphers, separated by commas. Supported ciphers are:aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com)