Title

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. (Cat II impact)

Discussion

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

Check Content

Check the SSH daemon configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive. Examine the file. # cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "macs" If no lines are returned, or the returned MACs list contains any MAC that is not hmac-sha1 or a better hmac algorithm that is on the FIPS 140-2 approved list, this is a finding.

Fix Text

Edit the SSH daemon configuration and remove any MACs that are not hmac-sha1 or a better hmac algorithm that is on the FIPS 140-2 approved list. If necessary, add a MACs line.

Additional Identifiers

Rule ID: SV-35220r2_rule

Vulnerability ID: V-22460

Group Title: GEN005507

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.