UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22463 GEN005512 SV-35210r2_rule DCNR-1 Medium
Description
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.
STIG Date
HP-UX 11.23 Security Technical Implementation Guide 2013-07-02

Details

Check Text ( C-36638r2_chk )
Check the SSH client configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=MACs
arg(s)=hmac-sha2-512,hmac-sha2-256,hmac-sha1

Default values include: "hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd168"

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/ssh_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "macs"

If the MACs list contains any MAC other than hmac-sha2-512, hmac-sha2-256, or hmac-sha1, this is a finding.
Fix Text (F-32009r1_fix)
Edit the SSH client configuration and remove any MACs other than hmac-sha1. If necessary, add a MACs line.