5.2.14 Ensure only strong MAC algorithms are used

Information

This variable limits the types of MAC algorithms that SSH can use during communication.

Rationale:

MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs
Example:

MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256

Default Value:

MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected]

References:

More information on SSH downgrade attacks can be found here: http://www.mitls.org/pages/attacks/SLOTH

SSHD_CONFIG(5)




Notes:

Some organizations may have stricter requirements for approved MACs. Ensure that MACs used are in compliance with site policy.

The only MACs currently FIPS 140-2 approved are hmac-sha2-256 and hmac-sha2-512

The Supported MACs are:

hmac-md5

hmac-md5-96

hmac-ripemd160

hmac-sha1

hmac-sha1-96

hmac-sha2-256

hmac-sha2-512

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

See Also

https://workbench.cisecurity.org/files/2619

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5, 800-53|SC-8, CSCv7|14.4, CSCv7|16.5

Plugin: Unix

Control ID: 47ee67b98c93aa05d7cf649650b454ccbd2ec5f3a60ed7fc92e4e9703ed1bb5a