Remove hmac-ripemd160 from MACs

[LeoVerto]

OpenSSH is planning to remove RIPEMD-160 support along with Blowfish and RC4. 1

Secure Secure Shell currently recommends including hmac-ripemd160-etm and hmac-ripemd160 in the list of MACs, both of which aren't part of the default list. 2

Shouldn't Secure Secure Shell no longer recommend these algorithms if they aren't even part of the default configuration anymore?

[madbence]

fyi, ssh-audit (i recently discovered this simple python script) also recommends removing it.

[Noctem]

It's been removed now so I just opened a PR for removing it from the page: #49

[matteoipri]

I just updated my systems which run archlinux. I followed this guide as suggested in archwiki and I ended up with non working ssh. I confirm that removing the two MACs above solves the issue. sshd was complaining of invalid ssh2 MACs specified.

[graysky2]

@matteoipri - Yes, the new update causes problems with the currently suggested MACs:
@stribika - You really need to update your guide to reflect the current upstream status... without physical access to the sever, simply updating to openssh 7.6p1 will cause instantaneous breakage and major pain in the balls.

fatal: rexec line 21: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'.

As @Noctem stated, it looks like #49 may address this. For reference, the following is what I'm using and passes the ssh-audit recommendations:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

[jasonkarns]

This can be closed now, due to 6cb1ee5