The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22460	GEN005507	SV-35220r1_rule	DCNR-1	Medium

Description
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-04-03

Details

Check Text ( C-36635r1_chk )
Check the SSH daemon configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=MACs arg(s)=hmac-sha1 Default values include: "hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd168" Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior. Examine the file. # cat /opt/ssh/etc/sshd_config \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]*//' \| grep -v '^#' \| egrep -i "macs" If the returned configuration MACs list contains any MAC other than hmac-sha1, this is a finding.

Check Text ( C-36635r1_chk )

Check the SSH daemon configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=MACs
arg(s)=hmac-sha1

Default values include: "hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd168"

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "macs"

If the returned configuration MACs list contains any MAC other than hmac-sha1, this is a finding.

Fix Text (F-32005r1_fix)
Edit the SSH daemon configuration and remove any MACs other than hmac-sha1. If necessary, add a MACs line.