5.3.17 Ensure only strong MAC algorithms are used - MACs employing FIPS 140-2 approved cryptographic hash algorithms.


This variable Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated.

Note: Some organizations may have stricter requirements for approved MACs. Ensure that MACs used are in compliance with site policy.


MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information


Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs

MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256

Default Value:

MACs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected]

See Also


Item Details


References: 800-53|AC-17(2), CCI|CCI-001453, CSCv7|14.4, CSCv7|16.5, Rule-ID|SV-204595r744117_rule, STIG-ID|RHEL-07-040400

Plugin: Unix

Control ID: ac6f9737126515157de346ac9902a6d78af0e9836cdf519587586b1c4c2f51bc