5.1.15 Ensure sshd MACs are configured

Information

This variable limits the types of MAC algorithms that SSH can use during communication.

Notes:

- Some organizations may have stricter requirements for approved MACs.
- Ensure that MACs used are in compliance with site policy.
- The only "strong" MACs currently FIPS 140 3 approved are:
- [email protected] mailto:[email protected]
- [email protected] mailto:[email protected]
- hmac-sha2-256
- hmac-sha2-512

MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information.

Solution

Note:

- First occurrence of an option takes precedence.
- Though MACs may be configured through the MACs option in the /etc/ssh/sshd_config file, it is recommended that the MACs available to openSSH server are configured through system-wide-crypto-policy
- If the recommendations in the subsection "Configure system wide crypto policy" have been followed, this Audit should be in a passing state. Please review that section before following this Remediation Procedure
- By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config be added before any lines containing the MACs argument.
- Defaults:
- The file /etc/ssh/sshd_config includes the line: Include /etc/ssh/sshd_config.d/*.conf . This line must appear before any lines containing the MACs argument
- This directory /etc/ssh/sshd_config.d/ includes a file /etc/ssh/sshd_config.d/50-redhat.conf
- The file /etc/ssh/sshd_config.d/50-redhat.conf includes the line Include /etc/crypto-policies/back-ends/opensshserver.config
- The file /etc/crypto-policies/back-ends/opensshserver.config is generated by system-wide-crypto-policy

Create or edit a file in /etc/crypto-policies/policies/modules/ ending in .pmod and add or modify the the following line:

mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128* -HMAC-SHA1*

Example:

# printf '%s\n' "# This is a subpolicy to disable weak MACs" "# for the SSH protocol (libssh and OpenSSH)" "mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128* -HMAC-SHA1*" >> /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod

Run the following command to update the system-wide cryptographic policy

# update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3>

Example:

# update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHCHACHA20:NO-SSHETM:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS

Run the following command to reload the openSSH server to make your cryptographic settings effective:

# systemctl reload-or-restart sshd

- OR - If system-wide-crypto-policy is not being used to configure available ciphers ( This is not recommended )

Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site unapproved (weak) MACs preceded with a - above any Include entries:

Example:

MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]

Item Details

Audit Name: CIS Rocky Linux 10 v1.0.0 L1 Server

Category: ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

Plugin: Unix

Control ID: 2d538faf2fc6454c46d81f0bb5d7128a45aea25dd5fb9eece4d620e8095c8fca

Detections

Analytics

5.1.15 Ensure sshd MACs are configured

Information

Solution

See Also

Item Details